1 Organizational Security
ORG-01 Do you have a documented Information Security Policy?
Partial Security practices are documented in the
Trust Center. Formal ISMS policy is on the roadmap as part of SOC 2 / ISO 27001 preparation.
ORG-02 Do you have a designated security officer?
Yes Founder (Bakhrom) currently serves as security point of contact. Reachable at
bakhrom@agengate.com.
ORG-03 Do all employees complete security awareness training?
Planned Small team (<5 people). Formal training program will be implemented as the team grows beyond 10 people or before SOC 2 audit.
ORG-04 Do you perform background checks on employees with access to customer data?
Planned Will be implemented before first enterprise hire. Current access is limited to founder.
2 Access Control & Authentication
AUTH-01 Do you enforce multi-factor authentication for admin access?
Yes Admin access to infrastructure requires MFA. GitHub, VPS root access, and cloud providers all use MFA.
AUTH-02 Do you support SSO / SAML for customer authentication?
Planned Google OAuth is supported today. SAML / SCIM provisioning is on the roadmap for Enterprise plan customers.
AUTH-03 Do you enforce role-based access control (RBAC)?
Partial RBAC model is defined (owner, admin, developer, viewer, billing roles). API-level enforcement is rolling out per endpoint. Full team management UI is in development.
AUTH-04 How are API keys managed and rotated?
Yes Keys are prefixed (ag_live_, ag_test_), hashed at rest, compared with constant-time equality (timingSafeEqual). Revocation and creation are self-service in the dashboard. Old keys invalidate immediately on revocation.
AUTH-05 How do you protect against credential-based attacks?
Yes Rate limiting per API key, constant-time comparison, automated abuse detection, HSTS with 1-year max-age, secure session management.
3 Data Protection & Encryption
DATA-01 Is data encrypted in transit?
Yes TLS 1.2+ enforced on all endpoints. HSTS enabled with 1-year max-age and preload. TLS 1.3 preferred where client supports it.
DATA-02 Is data encrypted at rest?
Yes AES-256 encryption for all stored data (database, backups, object storage).
DATA-03 How do you handle PII / customer data?
Yes Agent output submitted to
/v1/validate is processed
in-memory only — never written to disk. Only SHA-256 hashes and gate outcomes are stored. See
Trust Center § 1 for full data flow.
DATA-04 What data retention policies do you enforce?
Yes Differentiated by data type: validation metadata (90d Free / 12mo Paid), audit packages (90d / 12mo), API logs (90d), access logs (30d), billing records (7y per legal obligation). Account data deleted within 30 days of closure.
DATA-05 Do you support data portability / export?
Yes Audit evidence packages are exportable as JSON via POST /v1/audit-package. Full account data export available on request within 30 days.
DATA-06 How do you handle data deletion requests?
Yes Email
bakhrom@agengate.com with subject "Data Request". Deletion completed within 30 days (GDPR compliance). Billing records retained 7 years per legal obligation.
4 Application Security
APP-01 Do you perform regular security testing?
Partial Automated security testing in CI (static analysis, dependency scanning). External penetration test planned before SOC 2 audit.
APP-02 Do you protect against OWASP Top 10?
Yes Parameterized queries (no SQL injection), input validation via Zod schemas, CSP headers, SSRF protection on outbound requests (private IP blocking), XSS protection, HSTS, secure headers. See
Trust Center § 5.
APP-03 How do you manage third-party dependencies?
Yes Automated dependency scanning via GitHub Dependabot. Known vulnerabilities addressed within 30 days (critical), 90 days (high).
APP-04 Do you maintain a bug bounty or vulnerability disclosure program?
5 Infrastructure & Operations
INFRA-01 Where is customer data hosted?
Yes Primary hosting: dedicated VPS (EU region). Database: Supabase (multi-region, SOC 2 Type II certified). Detailed subprocessor list in
Trust Center § 7.
INFRA-02 Do you have logical tenant isolation?
Yes Row-level security (RLS) in the database. Every query is scoped by API key. Data from one customer cannot be accessed by another.
INFRA-03 Do you have backup and disaster recovery procedures?
Yes Automated daily backups (Supabase native), 30-day retention. RTO < 4 hours, RPO < 24 hours for Free/Starter/Pro plans. Enterprise custom SLAs available.
INFRA-04 What is your uptime SLA?
Yes 99.9% uptime target on Pro plan. 99.95% on Enterprise. Real-time status at
agengate.com/status. No SLA on Free plan.
INFRA-05 How do you monitor and log production systems?
Yes Automated uptime checks every 5 minutes. Structured JSON logs with correlation IDs. Request tracing for debugging. Logs retained 30 days.
INFRA-06 How do you manage secrets and credentials?
Yes Environment variables only. Never committed to source control. Separate configs for development, staging, and production.
6 Incident Management
IR-01 Do you have a documented incident response plan?
Partial Incident response process documented in
Trust Center § 8. Formal tabletop exercises planned before SOC 2 audit.
IR-02 What is your breach notification policy?
Yes Affected customers notified within 72 hours of confirmed personal data breach (GDPR Article 33 requirement). Supervisory authority notified where required.
IR-03 Do you maintain audit logs of security events?
Yes All authentication, authorization, and configuration changes are logged with timestamps, user identity, and action taken. Logs are immutable during retention period.
7 Compliance & Certifications
COMP-01 GDPR compliance?
Yes Designed for GDPR compliance. Data Processing Agreement available on request. Subject rights (access, deletion, portability) supported. See
Privacy Policy.
COMP-02 CCPA compliance?
Yes California resident rights supported (access, deletion, do-not-sell). Response within 45 days.
COMP-03 SOC 2 Type II certification?
On Roadmap SOC 2 audit on roadmap. Trust Center documents current controls. Customer letters of intent help prioritize timing.
COMP-04 ISO 27001 certification?
Planned Planned after SOC 2. Controls already mapped.
COMP-05 PCI-DSS scope?
Yes All payment processing handled by Stripe (PCI-DSS Level 1 certified). AgentGate does not store, process, or transmit cardholder data.
COMP-06 EU AI Act readiness?
Yes AgentGate itself is designed as a compliance tool for EU AI Act. We help customers demonstrate compliance for high-risk AI systems with evidence chains and audit packages.