Security at The Agent Studio

Data encryption

• All data encrypted in transit using TLS 1.2 or higher
• All data encrypted at rest using AES-256
• Database backups encrypted using the same standards
• Encryption keys managed through a dedicated key management service

Access controls

• Role-based access control (RBAC) across all platform components
• Principle of least privilege applied to all internal systems
• Multi-factor authentication required for all internal team accounts
• Customer data access logged and auditable on request
• No customer data accessed by employees without explicit customer authorisation except for incident resolution

Infrastructure

• Hosted on SOC 2 Type II certified cloud infrastructure
• Network segmentation and firewall policies in place
• Automated vulnerability scanning on all services
• Regular patching schedule with emergency patch capability
• DDoS mitigation through infrastructure provider

Application security

• OWASP Top 10 reviewed in development process
• Annual third-party penetration testing
• Dependency scanning in CI/CD pipeline
• Static analysis tooling on all code changes
• Secrets management via dedicated vaults — no secrets in code

Incident response

• Documented incident response plan reviewed quarterly
• 24-hour internal escalation for security events
• Customer notification within 72 hours of confirmed breach affecting their data
• Post-incident reports available to affected customers on request

Compliance and auditing

• GDPR-compliant data processing agreements available
• Data Processing Agreements (DPAs) available on request
• Audit logs available within the platform for all agent decisions
• Data residency options available for enterprise customers

Do your agents access our ERP directly?

Yes, through authenticated API connections or read/write connectors using credentials you control. We never store your ERP credentials in plain text — they are encrypted at rest and accessed only by the agent runtime.

Who inside The Agent Studio can see our operational data?

No employee accesses customer data without explicit authorisation from the customer, except in the case of an active incident response where access is required to resolve a problem. All such access is logged.

How do you handle agent decision logs?

Every decision an agent makes is logged with full context: what it saw, what rules it applied, and what action it took. These logs are available in your dashboard and retained for the period specified in your agreement.

Can we get a copy of your penetration test results?

Executive summaries of our most recent penetration test are available to enterprise customers under NDA. Contact us at security@theagentstudio.ai.

What happens to our data if we cancel?

You have 30 days after cancellation to export all your data. After that, we delete it from active systems within 30 days and from backups within 90 days.