Trust Center — AgentGate

1. Architecture & Data Flow

AgentGate is a stateless validation API. Agent output is processed in-memory and never written to disk or database.

What we store

Data type	Storage	Retention
Raw agent output	Not stored — in-memory only	—
Validation metadata (domain, tier, timestamps)	Encrypted at rest	90 days (Free) / 12 months (Paid)
SHA-256 gate hashes	Encrypted at rest	90 days (Free) / 12 months (Paid)
Audit evidence packages	Encrypted at rest, exportable as JSON	90 days (Free) / 12 months (Paid)
API keys	Hashed (bcrypt)	Active account lifetime
Account data (email)	Encrypted at rest	30 days post-closure
Server access logs	Log aggregator	30 days
Billing records	Stripe / payment processor	7 years (legal obligation)

2. Encryption

In transit — TLS 1.2+ enforced on all endpoints. HSTS enabled with 1-year max-age.
At rest — AES-256 encryption for all stored data.
API keys — compared using constant-time comparison (crypto.timingSafeEqual) to prevent timing attacks.
Evidence chains — SHA-256 hash chains provide tamper-evident integrity verification.

3. Authentication & Access Control

API keys — prefixed ag_live_ / ag_test_, scoped per account. Keys are shown once on creation.
Key rotation — revoke and create new keys from dashboard. Old keys are immediately invalidated.
Rate limiting — per-key rate limits enforced. Abuse detection with automatic blocking.
Google OAuth — supported for dashboard login. No password stored for OAuth users.
RBAC Roadmap — role-based access control for team management.
SSO / SAML Roadmap — enterprise single sign-on.

4. Infrastructure

Hosting — dedicated VPS, not shared hosting. Application runs behind reverse proxy.
Database — PostgreSQL with Supabase. Row-level security enabled.
Secrets management — environment variables, never committed to source control.
Deployments — automated via CI with health checks. Zero-downtime deploys.
Monitoring — automated uptime checks every 5 minutes. Incident detection with alerting.

5. Security Headers & Protections

Strict-Transport-Security — HSTS with 1-year max-age
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Content-Security-Policy — restrictive CSP on all pages
SSRF protection — private IP ranges blocked on outbound requests
Input validation — Zod schema validation on all API inputs
SQL injection — parameterized queries only, no raw SQL from user input

6. Compliance Posture

Standard	Status
GDPR	Designed for compliance
CCPA	Designed for compliance
SOC 2 Type II	On roadmap
ISO 27001	Planned
PCI-DSS	Payment processing via Stripe (PCI Level 1)

We use honest language: "designed for compliance" means we follow the principles and controls, but have not yet undergone formal certification audits. We will update this page as certifications are obtained.

7. Subprocessors

Provider	Purpose	Data processed	Location
Supabase	Database, authentication	Account data, validation metadata	US / EU
Stripe	Payment processing	Billing data (no raw API data)	US
Google Analytics	Usage analytics	Anonymized page views, events	US
SendGrid	Transactional email	Email addresses, message content	US

We will notify customers 30 days before adding new subprocessors that handle personal data.

8. Incident Response

Detection — automated monitoring with 5-minute check intervals.
Notification — affected customers notified within 72 hours of confirmed data breach (GDPR requirement).
Status page — agengate.com/status for real-time service health.
Contact — security concerns: bakhrom@agengate.com

9. Data Subject Rights

Access — request a copy of your data via email.
Deletion — account and associated data deleted within 30 days of request. Billing records retained for 7 years per legal obligation.
Portability — audit evidence packages exportable as JSON at any time via API.
Contact — bakhrom@agengate.com with subject "Data Request".

10. Vendor Assessment

Preparing for enterprise procurement? We can provide:

Completed security questionnaire (SIG Lite, CAIQ)
Data Processing Agreement (DPA)
Subprocessor list (above)
Architecture diagram
Penetration test summary (when available)

Request a vendor pack

Email bakhrom@agengate.com with subject "Vendor Pack Request" and we will respond within 2 business days.