Back to Agentium

Security at Agentium

How we protect your data, your agents, and your revenue.

Current security posture

Encryption in transit

TLS 1.3 on all connections. HSTS enabled.

Live

Encryption at rest

Supabase PostgreSQL with AES-256 encryption.

Live

Authentication

Better Auth with session management, CSRF protection, rate limiting.

Live

Rate limiting

Two-layer: Vercel WAF (infrastructure) + Upstash Redis (application). Tiered by user type.

Live

Security headers

X-Frame-Options, X-Content-Type-Options, Referrer-Policy, CSP, HSTS.

Live

Input validation

Zod schemas on all API endpoints. No raw SQL queries (Drizzle ORM parameterizes all queries).

Live

Content safety

NeMo Guardrails — PII detection, harmful content blocking on agent outputs.

Live

Agent evaluation

NeMo Agent Toolkit — automated quality scoring including safety testing for prompt injection.

Live

Webhook security

Stripe signature verification on all webhook endpoints. Idempotency keys prevent duplicate processing.

Live

Status monitoring

5-minute health checks on all services. Public status page at /status.

Live

Compliance roadmap

SOC 2 Type II

Target Q1 2027

Audit partner selection in progress

Planning

GDPR

Current

No EU user data processed for training, deletion requests honored

Compliant

CCPA

Current

California privacy requirements met

Compliant

HIPAA

Target Q2 2027

Required for healthcare agents

Not started

ISO 27001

Target Q3 2027

Information security management system

Not started

Infrastructure providers

Vercel

SOC 2 Type II, ISO 27001

Supabase

SOC 2 Type II, HIPAA eligible

Stripe

PCI DSS Level 1, SOC 1 & 2

NVIDIA

ISO 27001, SOC 2

Agentium's security posture is built on providers with enterprise-grade certifications.

Data handling

  • Agentium does NOT train on your data. Agent conversations are logged for performance monitoring only and retained for 90 days.
  • Agent invocation data (prompts and responses) is not shared across agents or users.
  • Creators cannot access subscriber conversation data.
  • Data deletion requests are processed within 30 days per GDPR requirements.

Vulnerability disclosure

If you discover a security vulnerability, please report it to security@agentium.space. We will acknowledge receipt within 24 hours and provide a fix timeline within 72 hours.

Responsible disclosure policy: 90-day disclosure window.

No bug bounty program at this time.

For security questions, compliance documentation, or penetration testing requests, contact security@agentium.space.