Welcome to Agento

Trust Center

The load-bearing facts a CISO checks before a meeting: how data moves through Agento, where we are on compliance, who our sub-processors are, and how to report a vulnerability. No marketing.

security@agento.com.austatus.agento.au

Data flow

How a single workflow run moves through the platform. Every step is policy-checked, evidence-captured, and reversible from the audit log.

  1. 1. Customer system

    Procore, SharePoint, Salesforce, internal databases, etc. Agento never copies data into its own datastore beyond what's needed for the workflow run.

  2. 2. MCP gateway (brokered credentials)

    Every connector call runs through a policy-checked, audited gateway. Credentials are held in a vault, not in agent memory, and are scoped per project.

  3. 3. Agent + Skill (sandboxed)

    Skills run inside an isolated execution context. Inputs and outputs are constrained by a declared schema and validated against the customer's policy bundle.

  4. 4. Temporal workflow (durable, replayable)

    Every step is persisted to the Temporal event history. A failure mid-workflow resumes from the last completed activity, not from scratch.

  5. 5. Evidence sink (SHA-256 hashed, WORM-eligible)

    Every action produces a structured audit event with a content hash. Sinks: Datadog, CloudWatch, Splunk (beta), and generic webhook.

Compliance posture

The plain version. We will not claim a certification we do not hold.

IRAP alignment

In progress

Local Australian edge for federal and regulated workloads. Documentation available to design partners under NDA.

SOC 2 Type I

Targeted Q3 2026

Auditor selection complete. Control implementation underway across access management, change management, and incident response.

ISO 27001

Readiness work in parallel

ISMS scope drafted. Risk register and Statement of Applicability in development.

Australian Privacy Act / APPs

Compliant as a domestic provider

Notifiable Data Breaches scheme applies. Privacy Officer contact: privacy@agento.com.au.

GDPR / UK GDPR

DPA available on request

Standard Contractual Clauses in place for international transfers. UK IDTA available.

Sub-processors

The third parties that touch customer data. Customers on Business and Enterprise plans can subscribe to change notifications and we publish material changes within 30 days.

Provider

Purpose

AWS (ap-southeast-2)

Primary compute, storage, and managed services

Temporal Cloud

Durable workflow execution

Anthropic, OpenAI, Google

Foundation model inference (routed via Model Router; customer can restrict)

Stripe

Billing and payment processing

PostHog (self-hosted)

Product telemetry from authenticated workspaces

Cloudflare

Edge delivery, DDoS protection

Vulnerability disclosure

Report security issues to security@agento.com.au. We acknowledge within 2 business days, provide an initial assessment within 5 business days, and remediate confirmed issues on a timeline proportionate to severity.

We do not currently operate a paid bug bounty program. Good-faith research is welcome on the standard disclosure norms.

DPA on request

Our Data Processing Addendum is available to any prospective customer on request. It incorporates the EU Standard Contractual Clauses and the UK International Data Transfer Addendum.

Email legal@agento.com.au with your entity name and we will return the current DPA within one business day.

Trust pack for procurement

For procurement, audit, or security review, we provide a packaged set: security questionnaire responses, current sub-processor list, DPA template, SOC 2 report under NDA once issued, and pen test attestation under NDA. Email security@agento.com.au.

Architecture detailsPoliciesContact us