Welcome to Agento

Security

Agento runs in regulated enterprise environments. This page is the short version of how we secure the platform, where we are on compliance, and how to report a vulnerability.

Architecture

Identity

OIDC-based authentication for the control plane. SSO via your IdP, MFA enforced for administrators, and SCIM provisioning available on Business and Enterprise plans.

Authorization

Fine-grained RBAC and ABAC at workspace, skill, workflow, and connector level. Tenant isolation is enforced at the data, queue, and execution layers.

Policy enforcement

Every agent action is evaluated by an Open Policy Agent decision point before execution. Decisions are logged immutably.

Durable orchestration

Workflows run on Temporal. Step state is persisted, retries follow policy, and long-running steps survive infrastructure events.

Operator sandboxes

Browser-based UI automation runs in isolated, ephemeral sandboxes with constrained egress, session recording, and DOM-level evidence capture.

Evidence chain

Every execution step produces a structured artifact hashed with SHA-256 and chained for tamper evidence. WORM storage is available for regulated retention.

Encryption

TLS 1.2+ in transit. AES-256 at rest. Envelope encryption via AWS KMS. Customer-managed keys are available on Enterprise.

Network and secrets

Production runs in a private VPC with segmented subnets and no direct database exposure. Secrets are stored in a vault provider and never logged.

Compliance posture

  • SOC 2 Type I: targeted for Q3 2026. Type II audit period scoped to begin once Type I issues.
  • ISO 27001: roadmap.
  • GDPR / UK GDPR: DPA available; SCCs in place for international transfers.
  • Australian Privacy Act / APPs: compliant as a domestic provider.
  • HIPAA / PCI: not in scope at GA. Talk to us before processing data covered by these regimes so we can scope the right controls.
  • We map controls to NIST AI RMF, OWASP ASVS, and OWASP Top 10 for LLM Applications.

Incident response

We operate a 24/7 on-call rotation for production incidents. Customers will be notified of confirmed security incidents affecting their data within the timeframes required by applicable law and our DPA, and in any case without undue delay.

Status: status.agento.au

Vulnerability disclosure

Please report issues to security@agento.com.au. We commit to acknowledging reports within 2 business days, providing an initial assessment within 5 business days, and fixing or mitigating confirmed issues on a timeline proportionate to severity.

We do not currently operate a paid bug bounty programme, but we recognise good-faith research on the same terms as the standard disclosure norms.

Sub-processors

The current sub-processor list is maintained at /trust and updated within 30 days of any material change. Customers on Business and Enterprise plans can subscribe to change notifications.

Trust pack

For procurement, audit, or security review: security questionnaire pack, sub-processor list, DPA template, SOC 2 report under NDA once issued, and pen test attestation under NDA. Request via security@agento.com.au.

Contact usBack to policiesEmail security