Request an analysis of the agents your business needs
SECURITY & TRUST

Built for the reviewer who has to say yes.

Everything here is what's true today, not what's coming. If a certification isn't finished, we say so and give you the target date instead of a marketing claim.

WHERE WE STAND TODAY
SOC 2

Pre-audit. No SOC 2 report yet. Our controls are built against the SOC 2 Common Criteria: access control, change management, audit logging, incident response. We're targeting a Type I report by the end of 2026, with Type II to follow twelve months later. In the meantime, the hub runs in your cloud, under your keys, and every action lands in your logs.

InfoSec questionnaires

We complete them. Five business day turnaround target. Control documentation shared under NDA on request.

Data Processing Agreement

Standard DPA available on request, executed before kickoff. Names your model provider as the only sub-processor, states your cloud as the only place data resides, and covers deletion on termination.

Sub-processors

One: the model provider on your contract. Anthropic Claude by default, OpenAI or Google on request. No other sub-processor touches your data. No training on customer data, enforced via provider enterprise terms.

The same deployment model described on the engagement page, restated for a security review.

DEPLOYED
In your own cloud. Runs inside your own cloud account and network. We don't run your infrastructure, and we don't copy your data out of it.
ACCESS
Read-only by default. Every connector reads. Writes are granted agent by agent, and anything that acts on your systems routes through a human approval step first.
KEYS
Yours, never ours. Credentials stay in your own secret store. Engineer access on our side is named, time-bound, MFA-protected, and revoked at handover.
AUDIT
Logged end to end. Every agent action and every engineer action lands in your own logging stack. Access is role-based and scoped per user.
TRAINING
Never on your data. Enterprise model access with zero retention. Your prompts and outputs are never kept for training. Encrypted in transit and at rest.
OWNERSHIP
Yours to keep. No lock-in. At handover the hub, the logic, and the runbooks are yours. It keeps running if we walk away, and one command removes our access for good.
WHY YOU CAN AUDIT THIS YOURSELF

The runtime is open source.

The hubzoid package is MIT-licensed, on PyPI, source on GitHub. It runs inside your perimeter, against your data. Your team can read every line of what executes, not take our word for it. The same package powers our engagements. What you audit is what ships.

View on GitHub

Have a longer questionnaire?

Send it over. We aim to turn InfoSec questionnaires around in five business days, with control documentation under NDA.

Talk to us
DEPLOY · YOUR COMPANY, RUNNING ON AGENTS

A company that runs on AI agents. Starting with one.