Security
How AgentValet protects your credentials, audit data, and the agents that act on your behalf.
This page is the canonical security reference. If your security team needs a DPA, DPIA, or SOC 2 status confirmation, email security@agentvalet.ai — see SOC 2 & compliance below.
Encryption at rest
Envelope encryption. Every stored credential is wrapped under a unique data encryption key (DEK) generated per credential. The DEK is itself wrapped under your tenant’s key encryption key (KEK), which lives in Azure Key Vault Premium and is HSM-backed. Only the wrapped values are persisted; the master key never leaves the HSM.
- Algorithm: AES-256-GCM for credential payloads. Each ciphertext carries its own random IV and an authentication tag, so tampering is detected on decrypt.
- Per-tenant isolation: each organisation has its own KEK. A compromise of one tenant’s wrapped DEK cannot decrypt any other tenant’s data.
- No plaintext anywhere we control: backups, replicas, snapshots all contain only the wrapped form.
- Operator access is metadata only. AgentValet engineers can read the existence of a credential row (who owns it, which platform, when rotated) but cannot read the cleartext.
Encryption in transit
- TLS 1.2+ on every public endpoint:
api.agentvalet.ai,app.agentvalet.ai,docs.agentvalet.ai,agentvalet.ai. - Ingress is terminated at Azure Container Apps (proxy) and Cloudflare Pages (dashboard, landing, docs). Backends only accept TLS-fronted traffic via the platform.
- Internal service-to-service calls run inside the same Azure Container Apps environment over the platform’s managed mTLS — Presidio, the PII redactor, is reachable only on the internal FQDN.
- Cleartext credentials exist briefly in memory inside the proxy when a call decrypts → forwards → re-encrypts a response. The decrypted form is never logged.
Audit immutability
The audit_log table is append-only by construction.
- Postgres Row-Level Security (RLS). Two Postgres roles touch the
table. The proxy uses a write-only role with
INSERTonaudit_logand nothing else. The dashboard uses a read-only role gated by RLS so an authenticated owner sees only their own rows. Neither role hasUPDATE,DELETE, orTRUNCATEon the table. - No edit path from the application. There is no API or dashboard surface that mutates audit rows. The only way to alter history is to drop the table — which requires DB-owner credentials no application role holds.
- Forensic fields are Enterprise-opt-in.
ip_address,user_agent,geo_country,geo_city,geo_asn,session_id, andrequest_idexist on every audit row but are leftNULLunless your org has forensic capture explicitly enabled in Settings → Privacy. Privacy-by- default; you choose when to start recording.
See Audit & revocation for the user-facing behaviour.
Circuit breaker auto-suspension
When an agent misbehaves, AgentValet stops it before damage compounds.
- Threshold: 3 consecutive failures. Signature mismatch, scope denial,
proxy error, or upstream error all increment a per-agent counter. The
fourth consecutive failure is rejected with
circuit_breaker_openand the agent is moved tosuspendedstatus server-side. - Reset on success. Any successful call resets the counter to zero. There is no time-based decay — we want the breaker to stay open until either a human resumes the agent or the agent recovers genuinely.
- Human-in-the-loop reactivation. Suspended agents do not auto-resume. You investigate (the audit log shows the three failures), fix the underlying issue, and click Reactivate in the dashboard.
See Circuit breaker and the troubleshooting guide circuit_breaker_open.
No-plaintext logging
Three layers of defence against credentials ending up in logs or error traces:
- Secrets scan at the request boundary. A regex pattern set checks
inbound
datapayloads for AWS access keys, Stripe live keys, Slack tokens, GitHub PATs, Azure PATs, and generic bearer tokens. A match returns400 secret_detectedwith the matched pattern’s type, never the value. - Decrypt-in-memory-only. Credentials are unwrapped just-in-time inside the proxy call path and discarded after the outbound HTTP request resolves. The structured logger explicitly excludes the plaintext field.
- Pino redact list. Production logs run through a Pino redactor that
masks any field named
token,password,private_key,secret,authorization, orcookieregardless of where in the object tree it appears.
Identity & access
- Owners authenticate via Clerk. Every dashboard write that touches sensitive state requires a verified Clerk session.
- Agents authenticate via RS256 JWTs signed with a per-agent private
key. Public keys are stored in the
agentstable; the proxy verifies every call against the on-file public key. Compromise of one agent’s key affects only that agent. - Service-to-service calls inside Azure use managed identity. No long-lived service credentials are stored in plain env vars.
Subprocessors
| Subprocessor | Role | Data type |
|---|---|---|
| Azure (Microsoft) | Container Apps (proxy runtime), Key Vault Premium (KEK / HSM), Azure OpenAI (docs Q&A embeddings + chat) | Wrapped credentials, KEKs, request bodies sent to docs Q&A |
| Cloudflare | Pages (dashboard, landing, docs hosting), edge caching | Cached static assets, request metadata |
| Supabase | PostgreSQL (audit log, credential metadata, RLS), Storage (MCPB bundle distribution), Edge Functions | All persisted application data |
| Clerk | Owner identity, session JWTs, MFA | Owner email, login events |
| Nango (self-hosted in our Azure tenancy) | OAuth token broker for platform connections | OAuth refresh tokens (in transit), wrapped at rest |
| Microsoft Presidio (self-hosted in our Azure tenancy) | PII detection + anonymisation on response payloads | Response bodies in transit during a single proxied call; never persisted by Presidio |
| Stripe | Subscription billing, payment processing | Billing email, payment metadata; no platform credentials |
| Resend | Transactional email (approval notifications, sign-in links) | Owner email addresses, notification subjects |
All subprocessors are bound by a written DPA. We do not share customer data with any other party.
Vulnerability disclosure
Email security@agentvalet.ai with:
- A clear description of the issue
- Steps to reproduce (or a proof-of-concept)
- Any test credentials we should rotate after the report
We respond within two business days to acknowledge receipt and within ten business days with a triage decision. Critical issues (remote credential exposure, audit-log tampering, auth bypass) are treated as page-out events.
Safe harbour. Good-faith research that respects user privacy, avoids data exfiltration, and reports privately to the address above is welcome and will not be pursued legally or reported to law enforcement.
SOC 2 & compliance
Current status: SOC 2 Type II is in progress. We are not yet certified for SOC 2 Type II or ISO 27001. We can provide our DPIA (Data Protection Impact Assessment) template and current control mapping under NDA — email legal@agentvalet.ai.
SLA. A 99.9% monthly uptime SLA with service credits is available on the Enterprise plan. Standard plans run on a best-effort basis with our public status page as the source of truth.
DPA. A signable Data Processing Agreement is available on request via legal@agentvalet.ai. All Enterprise contracts include a DPA by default.
GDPR. AgentValet is built privacy-by-default: forensic capture is opt-in, plaintext credentials are never persisted, every persisted byte is encrypted at rest with per-tenant key isolation, and the audit log gives data subjects a complete record of how an agent handled their data. EU customers can request data hosted in EU Azure regions on the Enterprise plan.
HIPAA / PCI-DSS. Not in scope today. If you need HIPAA or PCI-DSS attestation, talk to us about the Enterprise + custom deployment path — the architecture is compatible (envelope encryption + HSM + RLS + audit immutability all map onto the relevant controls), but the certifications themselves require a contract-specific scoping exercise.
Questions this page didn’t answer? Email security@agentvalet.ai or, for contractual / privacy-officer questions, legal@agentvalet.ai.