# AgentLattice Security Overview *Pre-filled Vendor Security Assessment (VSA) — April 2026* This document provides pre-filled answers to common vendor security questionnaire sections. For questions not covered here, contact security@agentlattice.com. --- ## 1. Company & Product Overview **Company name:** AgentLattice, Inc. **Product description:** AgentLattice is an identity and access management (IAM) platform for AI agents. It provides agent identity, policy enforcement, tamper-proof audit logging, behavioral anomaly detection, and human-in-the-loop approvals for organizations deploying AI agents in production. **Data classification:** AgentLattice processes action metadata only — what type of action an agent attempted, what resource category was accessed, record counts, and sensitivity levels. AgentLattice never stores your agent's actual data: file contents, API payloads, database records, or business data are never transmitted to or stored by AgentLattice. --- ## 2. Data Security **Q: How is customer data encrypted at rest?** AES-256 encryption at rest via PostgreSQL on Supabase infrastructure. Encryption is managed by the hosting provider and is not accessible to application code. **Q: How is data encrypted in transit?** All communication uses TLS 1.2 or higher. API keys, MCP keys, and delegation tokens are never transmitted in plaintext. **Q: How is customer data isolated between tenants?** Logical isolation via row-level security (RLS) policies enforced at the database layer. Each workspace's data is scoped to its workspace ID, and RLS policies prevent cross-tenant access regardless of application-level bugs. **Q: Where is data stored geographically?** Primary: US East (AWS us-east-1) via Supabase. See the subprocessors list for full regional breakdown. **Q: Do you support customer-managed encryption keys (BYOK/CMEK)?** Not currently. On roadmap for enterprise tier. Contact us to discuss requirements. --- ## 3. Authentication & Access Control **Q: What authentication methods do you support?** - OAuth/OIDC for human operators via your existing identity provider - API key authentication for agent-to-platform communication (scoped, expiring keys) - MCP key authentication for MCP gateway integration **Q: Do you support SSO via SAML 2.0 or OIDC?** SSO via SAML 2.0 and OIDC is on the roadmap. Contact security@agentlattice.com for current availability and to discuss your IdP requirements. **Q: Do you support SCIM for automated user provisioning?** SCIM v2 is on the roadmap. Contact security@agentlattice.com for current timeline. **Q: Can MFA be enforced by administrators?** Yes. MFA is configurable and enforceable by workspace administrators. Users cannot disable MFA once admin-enforced. **Q: What is your role-based access control model?** Role-based access control (RBAC) with least-privilege defaults. Administrators manage user roles and permissions through the dashboard. API keys are scoped to specific capabilities at creation time. **Q: What is your process for API key management?** - API keys are generated with configurable expiration - Raw key is shown exactly once at creation; SHA-256 hash stored at rest - Keys can be revoked instantly by any org administrator - Revocation takes effect on the next request from the affected agent **Q: Do your employees have standing access to customer production data?** No. AgentLattice employees do not have standing access to customer data. Access requires explicit provisioning through a privileged access management process, is logged, and is revoked immediately after the task is complete. --- ## 4. Audit & Monitoring **Q: What events are captured in audit logs?** Every action processed by AgentLattice generates an audit event containing: agent identity and key fingerprint, action type and metadata, policy evaluation result, trust source (direct key or delegation token), timestamp, and data access descriptors (resource types, counts, sensitivity levels). **Q: Are audit logs tamper-proof?** Yes. Audit events are cryptographically chained: each event includes the SHA-256 hash of the previous event, and a new hash is computed from the event's own fields plus the previous hash. Modifying any event changes its hash, breaking the chain for all subsequent events. Periodic ECDSA-signed checkpoints enable efficient verification without walking the full chain from genesis. A separate tamper-proof hash chain is maintained for enforcement events (circuit breaker actions, policy evaluations). **Q: Who can modify audit logs?** No one. Audit logs are append-only by design. Neither AgentLattice employees nor workspace administrators can modify or delete audit events. **Q: How long are audit logs retained?** Audit logs are retained for a minimum of 12 months. Extended retention is available for enterprise customers. **Q: Can audit logs be exported to a SIEM?** Yes. Structured JSON audit events can be streamed via webhook to any SIEM (Splunk, Datadog, Microsoft Sentinel, Elastic, Sumo Logic). Native connectors for major SIEMs are on the roadmap. **Q: Do you have anomaly detection?** Yes. AgentLattice maintains behavioral baselines per agent and scores every action against that baseline across five signal types: bulk data access, scope creep, exfiltration patterns, sequence anomalies, and cross-agent propagation. Anomaly events are tagged with threat taxonomy technique identifiers. --- ## 5. Incident Response **Q: Have you had any security incidents in the past 3 years?** As of April 2026: no security incidents involving unauthorized disclosure of customer data have occurred. **Q: What is your breach notification timeline?** We commit to notifying affected customers within 72 hours of discovering a security incident that affects their data, in compliance with GDPR Article 33 requirements. Notification timelines are contractually available in our DPA. **Q: Who do we contact in case of a security incident?** security@agentlattice.com. For enterprise customers, a named security contact can be designated in your agreement. **Q: Do you have a documented incident response plan?** Yes. The plan includes detection procedures, containment steps, evidence preservation, notification timelines, and post-incident review. A redacted summary is available to enterprise prospects under NDA. --- ## 6. Business Continuity & Disaster Recovery **Q: What are your RTO and RPO targets?** Recovery Time Objective (RTO): < 4 hours Recovery Point Objective (RPO): < 1 hour **Q: What is your uptime SLA?** 99.9% uptime, measured monthly. Downtime credits are available per our terms of service. **Q: Do you have multi-region redundancy?** The primary deployment is single-region (US East) with automated failover within the region. Multi-region active-active is on the enterprise roadmap. --- ## 7. Third-Party Security **Q: Do you conduct penetration testing?** Third-party penetration testing is in progress. Testing will be conducted annually by an independent firm. Summary reports are available to enterprise prospects under NDA upon completion. **Q: Do you have a vulnerability disclosure policy?** Yes. Security researchers can report vulnerabilities to security@agentlattice.com. We acknowledge reports within 48 hours and commit to providing status updates during remediation. **Q: Do you scan for vulnerabilities in your dependencies?** Yes. Automated dependency scanning runs in CI on every commit via GitHub Dependabot. Critical CVEs are addressed within 30 days; high-severity within 90 days. --- ## 8. Compliance **Q: Are you SOC 2 Type II certified?** SOC 2 Type II audit is in progress via Vanta. Security readiness evidence and current controls documentation are available to enterprise prospects under NDA. Contact security@agentlattice.com for current status and estimated completion. **Q: Are you GDPR compliant?** Yes. A Data Processing Agreement (DPA) template is available for download. Contact security@agentlattice.com to execute a signed DPA. **Q: Are you HIPAA compliant?** HIPAA Business Associate Agreement (BAA) availability is on the enterprise roadmap. Contact us to discuss requirements and timing. **Q: What subprocessors do you use?** See the full subprocessors list at agentlattice.com/security/subprocessors. --- ## 9. Workspace Security **Q: Do employees undergo background checks?** Yes. Background checks are required for all employees with access to production systems or customer data. **Q: Do you require security awareness training?** Yes. Annual security awareness training is required for all staff, tracked and recorded. **Q: Are employee endpoints managed?** Yes. All staff devices are enrolled in MDM (managed device policy). Endpoint security policies include disk encryption, screen lock, and automatic OS updates. --- *For questions not covered above, contact security@agentlattice.com. Enterprise prospects can request a security review call with our engineering team.*