Security controls
Twelve technical controls are built into the platform. All are active in production today.
All data is encrypted at rest using AES-256 (Neon Postgres). All connections enforce TLS 1.2+. No plaintext data leaves the platform.
MFA is enforced via Clerk for all user accounts. Org admins can mandate MFA for every team member.
Three-tier RBAC (Admin / Reviewer / Viewer) is enforced at both the API and UI layers. Least-privilege by default.
Every create, update, and delete is captured in an append-only audit_events table with actor identity, before/after JSON, and IP address.
API keys are hashed with bcrypt before storage. The raw key is shown once at creation and never stored. Prefix-based identification only.
All outbound webhook deliveries include an X-AgentPMO-Signature: sha256=<hex> header so consumers can verify payload authenticity.
Token-bucket rate limiting is applied per API key and endpoint tier. Limits are surfaced in X-RateLimit-* response headers.
npm audit and Snyk run on every CI build. Critical CVEs block deployment. High-severity CVEs are patched within 72 hours.
Sentry captures client and server exceptions in real time. Every error carries a request ID for full-stack correlation.
All secrets are stored as environment variables, never in source code. Production secrets rotate on a 90-day cycle.
Documented P1βP4 severity classification, escalation paths, and customer communication playbook. P1 RTO < 4 hours.
Neon Postgres provides continuous WAL streaming plus daily snapshots. 7-day point-in-time recovery. RPO < 1 hour.
Certifications & frameworks
Our certification roadmap is public. We engage Vanta for automated SOC 2 evidence collection.
Engaging Vanta for automated evidence collection. Audit window opens Q2 2026.
Information security management system aligned with ISO 27001 controls.
EU-region deployment available. Data processing agreement available on request.
AgentPMO is built specifically to help you comply β risk classification, evidence packages, and conformity readiness.
Data residency
Choose your data region at organization setup. GDPR-regulated buyers in the EU can select EU (Frankfurt) to ensure data never leaves the European Union.
Default region for all new organizations. Data never leaves AWS us-east-1.
EU-region deployment for regulated buyers. All data stored and processed within the EU. Select EU at organization setup or contact sales.
Availability & recovery
Vulnerability management
| Severity | SLA to patch | Disclosure |
|---|---|---|
| Critical | 24 hours | Public after patch |
| High | 72 hours | Public after patch |
| Medium | 14 days | Next release cycle |
| Low | 30 days | Next release cycle |
To report a vulnerability, email security@getagentpmo.com. We acknowledge disclosures within 24 hours and follow responsible disclosure principles.
SOC 2 Type II β in progress
We have engaged Vanta for automated SOC 2 evidence collection. The audit window opens Q2 2026 with a target report date of Q3 2026. Controls already in place: access logging, encryption, MFA enforcement, RBAC, and incident response.
Enterprise customers can request a copy of the SOC 2 report on completion. Contact trust@getagentpmo.com.
Vulnerability reports, penetration test findings, and security questions.
SOC 2 reports (when available), DPAs, and enterprise compliance documentation.