Security Architecture

Isolated VPS per client

Every client gets a dedicated, isolated Google Cloud Virtual Private Server. Your agents run in this environment — and only this environment. No shared infrastructure. No shared compute. No shared storage. Other clients cannot access your environment, and we cannot access it without your explicit permission and documented consent.

Air-gapped network access

By default, your agents have no outside network access beyond the specific systems and URLs required for your workflows. We define an allowlist during setup — if it's not on the list, the agent can't reach it. This eliminates entire categories of risk: data exfiltration, lateral movement, and accidental exposure to external services.

Security controls at a glance

Audit trails

Every action an agent takes is logged: what it did, when it did it, which systems it accessed, and what the outcome was. These logs are immutable — they can't be modified after the fact. You can request an audit log export at any time. For regulated industries, we can configure additional logging and retention policies.

For IT teams doing a security review

We're happy to provide security documentation, architecture diagrams, and a call with our CTO for any client whose IT team wants to dig deeper before onboarding. This is common and expected — we treat it as a sign that you're serious about security, not as an obstacle.