Skip to Content
Security

Security

How AgentValet protects your credentials, audit data, and the agents that act on your behalf.

This page is the canonical security reference. If your security team needs a DPA, DPIA, or SOC 2 status confirmation, email security@agentvalet.ai — see SOC 2 & compliance below.

Encryption at rest

Envelope encryption. Every stored credential is wrapped under a unique data encryption key (DEK) generated per credential. The DEK is itself wrapped under your tenant’s key encryption key (KEK), which lives in Azure Key Vault Premium and is HSM-backed. Only the wrapped values are persisted; the master key never leaves the HSM.

  • Algorithm: AES-256-GCM for credential payloads. Each ciphertext carries its own random IV and an authentication tag, so tampering is detected on decrypt.
  • Per-tenant isolation: each organisation has its own KEK. A compromise of one tenant’s wrapped DEK cannot decrypt any other tenant’s data.
  • No plaintext anywhere we control: backups, replicas, snapshots all contain only the wrapped form.
  • Operator access is metadata only. AgentValet engineers can read the existence of a credential row (who owns it, which platform, when rotated) but cannot read the cleartext.

Encryption in transit

  • TLS 1.2+ on every public endpoint: api.agentvalet.ai, app.agentvalet.ai, docs.agentvalet.ai, agentvalet.ai.
  • Ingress is terminated at Azure Container Apps (proxy) and Cloudflare Pages (dashboard, landing, docs). Backends only accept TLS-fronted traffic via the platform.
  • Internal service-to-service calls run inside the same Azure Container Apps environment over the platform’s managed mTLS — Presidio, the PII redactor, is reachable only on the internal FQDN.
  • Cleartext credentials exist briefly in memory inside the proxy when a call decrypts → forwards → re-encrypts a response. The decrypted form is never logged.

Audit immutability

The audit_log table is append-only by construction.

  • Postgres Row-Level Security (RLS). Two Postgres roles touch the table. The proxy uses a write-only role with INSERT on audit_log and nothing else. The dashboard uses a read-only role gated by RLS so an authenticated owner sees only their own rows. Neither role has UPDATE, DELETE, or TRUNCATE on the table.
  • No edit path from the application. There is no API or dashboard surface that mutates audit rows. The only way to alter history is to drop the table — which requires DB-owner credentials no application role holds.
  • Forensic fields are Enterprise-opt-in. ip_address, user_agent, geo_country, geo_city, geo_asn, session_id, and request_id exist on every audit row but are left NULL unless your org has forensic capture explicitly enabled in Settings → Privacy. Privacy-by- default; you choose when to start recording.

See Audit & revocation for the user-facing behaviour.

Circuit breaker auto-suspension

When an agent misbehaves, AgentValet stops it before damage compounds.

  • Threshold: 3 consecutive failures. Signature mismatch, scope denial, proxy error, or upstream error all increment a per-agent counter. The fourth consecutive failure is rejected with circuit_breaker_open and the agent is moved to suspended status server-side.
  • Reset on success. Any successful call resets the counter to zero. There is no time-based decay — we want the breaker to stay open until either a human resumes the agent or the agent recovers genuinely.
  • Human-in-the-loop reactivation. Suspended agents do not auto-resume. You investigate (the audit log shows the three failures), fix the underlying issue, and click Reactivate in the dashboard.

See Circuit breaker and the troubleshooting guide circuit_breaker_open.

No-plaintext logging

Three layers of defence against credentials ending up in logs or error traces:

  1. Secrets scan at the request boundary. A regex pattern set checks inbound data payloads for AWS access keys, Stripe live keys, Slack tokens, GitHub PATs, Azure PATs, and generic bearer tokens. A match returns 400 secret_detected with the matched pattern’s type, never the value.
  2. Decrypt-in-memory-only. Credentials are unwrapped just-in-time inside the proxy call path and discarded after the outbound HTTP request resolves. The structured logger explicitly excludes the plaintext field.
  3. Pino redact list. Production logs run through a Pino redactor that masks any field named token, password, private_key, secret, authorization, or cookie regardless of where in the object tree it appears.

Identity & access

  • Owners authenticate via Clerk. Every dashboard write that touches sensitive state requires a verified Clerk session.
  • Agents authenticate via RS256 JWTs signed with a per-agent private key. Public keys are stored in the agents table; the proxy verifies every call against the on-file public key. Compromise of one agent’s key affects only that agent.
  • Service-to-service calls inside Azure use managed identity. No long-lived service credentials are stored in plain env vars.

Subprocessors

SubprocessorRoleData type
Azure (Microsoft)Container Apps (proxy runtime), Key Vault Premium (KEK / HSM), Azure OpenAI (docs Q&A embeddings + chat)Wrapped credentials, KEKs, request bodies sent to docs Q&A
CloudflarePages (dashboard, landing, docs hosting), edge cachingCached static assets, request metadata
SupabasePostgreSQL (audit log, credential metadata, RLS), Storage (MCPB bundle distribution), Edge FunctionsAll persisted application data
ClerkOwner identity, session JWTs, MFAOwner email, login events
Nango (self-hosted in our Azure tenancy)OAuth token broker for platform connectionsOAuth refresh tokens (in transit), wrapped at rest
Microsoft Presidio (self-hosted in our Azure tenancy)PII detection + anonymisation on response payloadsResponse bodies in transit during a single proxied call; never persisted by Presidio
StripeSubscription billing, payment processingBilling email, payment metadata; no platform credentials
ResendTransactional email (approval notifications, sign-in links)Owner email addresses, notification subjects

All subprocessors are bound by a written DPA. We do not share customer data with any other party.

Vulnerability disclosure

Email security@agentvalet.ai with:

  • A clear description of the issue
  • Steps to reproduce (or a proof-of-concept)
  • Any test credentials we should rotate after the report

We respond within two business days to acknowledge receipt and within ten business days with a triage decision. Critical issues (remote credential exposure, audit-log tampering, auth bypass) are treated as page-out events.

Safe harbour. Good-faith research that respects user privacy, avoids data exfiltration, and reports privately to the address above is welcome and will not be pursued legally or reported to law enforcement.

SOC 2 & compliance

Current status: SOC 2 Type II is in progress. We are not yet certified for SOC 2 Type II or ISO 27001. We can provide our DPIA (Data Protection Impact Assessment) template and current control mapping under NDA — email legal@agentvalet.ai.

SLA. A 99.9% monthly uptime SLA with service credits is available on the Enterprise plan. Standard plans run on a best-effort basis with our public status page as the source of truth.

DPA. A signable Data Processing Agreement is available on request via legal@agentvalet.ai. All Enterprise contracts include a DPA by default.

GDPR. AgentValet is built privacy-by-default: forensic capture is opt-in, plaintext credentials are never persisted, every persisted byte is encrypted at rest with per-tenant key isolation, and the audit log gives data subjects a complete record of how an agent handled their data. EU customers can request data hosted in EU Azure regions on the Enterprise plan.

HIPAA / PCI-DSS. Not in scope today. If you need HIPAA or PCI-DSS attestation, talk to us about the Enterprise + custom deployment path — the architecture is compatible (envelope encryption + HSM + RLS + audit immutability all map onto the relevant controls), but the certifications themselves require a contract-specific scoping exercise.


Questions this page didn’t answer? Email security@agentvalet.ai or, for contractual / privacy-officer questions, legal@agentvalet.ai.

Last updated on