Agent21Security & Privacy

Security at Agent21

Your company data is your most valuable asset. Here's exactly how we protect it.

Secured by Cisco DefenseClaw

Enterprise-grade AI agent security governance

Skill Scanner

Every tool call is scanned before execution. Blocked patterns, credential leaks, and privilege escalation attempts are caught and blocked in real-time.

CodeGuard

Agent-generated code and commands undergo static analysis. Dangerous operations like rm -rf or SQL injection patterns are blocked.

AI Bill of Materials (BOM)

Every model, tool, and data source each agent touches is tracked and auditable. Full transparency into what your AI agents are doing.

Policy Guardrails

Company-specific security policies enforced on every agent action. Domain allowlists, approval workflows for high-risk actions, token limits.

Based on Cisco's open-source DefenseClaw framework for agentic AI security. View on GitHub

Data Isolation

Every company's data is completely isolated using Postgres Row Level Security (RLS). Company A cannot see Company B's data — not through the UI, not through the API, not through SQL. Each query is scoped by company_id.

Even Agent21 team members cannot access your data without your explicit permission. Our backend uses a service role key for operations, but all data flows are company-scoped.

AI Provider: Zero Retention

Claude, Gemini, and OpenAI are stateless processing engines. When your agent runs:

  1. We assemble your context from our database
  2. Send it to the AI provider for processing
  3. Receive the response
  4. The AI provider immediately forgets everything

No persistent memory, no training on your data, no cross-customer leakage. Your data is not used to train AI models. Each API call is independent.

You can also bring your own API key — your data flows directly from Agent21 to your own AI account, never touching our key.

Encryption

In Transit

All connections use TLS 1.3. API calls to AI providers use HTTPS. No plaintext data over the wire.

At Rest

Supabase Postgres uses AES-256 encryption at rest. Backups are encrypted.

Credentials

Integration credentials (API keys, tokens) are encrypted with AES-256-GCM before storage. Each credential has a unique IV.

Passwords

User passwords are salted and hashed with SHA-256. We never store plaintext passwords.

Authentication & Access

JWT session tokens with expiry. Rate limiting on all endpoints (login: 10/15min, API: 60/min).

Account lockout after 5 failed login attempts (15-minute cooldown).

Role-based access: owner, admin, member, viewer, board. Board members see only curated reports, not raw data.

Audit logging on every mutation — who did what, when, from where.

Data Portability & Deletion

Full export: Company owners can export all data as JSON at any time — company profile, agents, messages, documents, workflows, investor updates. No lock-in.

Right to deletion: Request complete data deletion via Settings or by emailing privacy@agent21.ai. We will delete all company data within 30 days.

No vendor lock-in: Your context, knowledge, and agent configurations live in our database, not at the AI provider. Switch providers or leave Agent21 — your data is always yours.

Compliance Roadmap

AES-256 encryption for credentials
Row Level Security (multi-tenant isolation)
Audit logging on all mutations
Data export (GDPR portability)
Rate limiting + account lockout
SOC2 Type I audit (Q2 2026)
SOC2 Type II (Q4 2026)
GDPR DPA template for EU customers
SSO (SAML/OIDC) for enterprise
MFA (optional, then required for enterprise)

Security Questions?

We're happy to discuss our security practices, provide DPA agreements, or answer audit questionnaires.

Contact Security Team