Security that your auditor will sign off on.
Agaro is SOC 2 Ready, HIPAA Ready, and aligned to GDPR, CCPA, ISO 27001, and NIST AI RMF. We also offer compliance support — DPAs, BAAs, evidence packages, and auditor-facing artifacts — so your team isn't doing the regulatory work alone.
Four commitments we make in writing.
Customer data is yours.
We process Customer Content as a processor, scoped to your engagement. We do not sell it, broker it, or use it to train models we deploy for other customers.
Least privilege, by default.
Access is scoped to the smallest set of people and systems that need it. SSO, MFA, and short-lived credentials are the default — not the upgrade.
Every action is logged.
Model calls, admin actions, configuration changes — all logged, all replayable, retained per your engagement's policy and forwarded to your SIEM on request.
Audit-defensible by design.
We build for the day your auditor sits across from us. Controls map cleanly to SOC 2, HIPAA, and ISO 27001 categories so evidence collection is a query, not a project.
How the platform is put together.
Encryption at rest
AES-256 with per-tenant keys. Each customer environment gets its own key material, rotated on schedule.
Encryption in transit
TLS 1.3 with modern cipher suites end-to-end. HSTS preload, certificate pinning available on request.
Tenant isolation
Logical separation per engagement on multi-tenant deployments. Single-tenant deployments give you a dedicated namespace, dedicated credentials, dedicated key material.
Identity & access
OIDC / SAML SSO, RBAC scoped to engagement, MFA enforced for admin, short-lived service credentials with automatic rotation.
Secrets management
No secrets in source, no secrets in logs. Centralized vaulting, just-in-time access, audit on every read.
Network posture
Private networking by default on production tiers. VPC peering, PrivateLink, and IP allow-lists supported on dedicated tenants.
Frameworks we are Ready against — and offer support for.
We are not selling certifications. We are Ready against these frameworks and we work alongside your team to put your program through audit.
SOC 2 Type II
Trust Services Criteria — Security, Availability, Confidentiality. We are SOC 2 Ready with an evidence package available under NDA, and offer compliance support to customers operating under their own SOC 2.
HIPAA
Administrative, physical, and technical safeguards for PHI. BAA available on request. We offer end-to-end HIPAA compliance support for healthcare deployments.
GDPR / UK GDPR
Standard Contractual Clauses + UK IDTA. DPA, subprocessor list, and TIA available on request. EU-region hosting supported on dedicated tenants.
CCPA / CPRA
California Ready. We honor all consumer rights and never "sell" or "share" personal information as defined under California law.
ISO 27001 alignment
Controls mapped to ISO 27001 Annex A. Certification on the roadmap; current gap analysis available under NDA. We support customers driving toward their own ISO 27001.
NIST AI RMF
Risk management practices aligned to the NIST AI Risk Management Framework, with documented impact assessments per deployment.
From threat model to decommissioning.
- 01
Threat modeling
Every engagement starts with a written threat model. Trust boundaries, sensitive flows, and abuse cases identified before code is written.
- 02
Secure development
Peer review on every change. Static analysis, dependency scanning, and secret detection on every commit.
- 03
Pre-production review
Penetration testing on customer-impacting releases. Findings tracked to closure under SLA.
- 04
Production hardening
Hardened images, signed artifacts, immutable infrastructure, and a documented runbook delivered with every deployment.
- 05
Continuous monitoring
Anomaly detection on model calls and admin actions. Alerts tuned per engagement and routed to on-call.
- 06
Lifecycle review
Quarterly access reviews, annual key rotation, and a documented decommissioning procedure on engagement end.
How we handle AI specifically.
No cross-customer training
Customer Content is never used to train models we deploy for other customers. Configurations and tuning stay scoped to your engagement.
Zero retention on foundation models
Where third-party foundation models are used, we enable zero-data-retention and no-training settings whenever the provider offers them, documented per engagement.
Output review by design
Every Agaro system ships with the assumption that Output is reviewed before consequential decisions are made. Audit logs and replay are first-class.
Bias & evaluation
Documented evaluation suites per use case, with bias and accuracy metrics tracked over time. Findings shared with the customer.
Each Agaro module ships as a deployable unit your team controls.
Cloud (multi-tenant)
Standard SaaS deployment for general enterprise use. Fastest path to production with the same security controls applied across tenants.
Dedicated tenant
Single-tenant deployment in our cloud — your data, your keys, your namespace, your residency. Operated by us, observable by you.
The specifics, on one page.
Found something? Tell us.
If you believe you have found a security vulnerability in any Agaro service or site, please report it to info@agaro.ai. We acknowledge within one business day, investigate in good faith, and keep you posted through remediation. We do not threaten or pursue legal action against researchers acting in good faith within the scope of this program.
Trust & security — quick answers.
Is Agaro SOC 2 Ready?
Yes — Agaro operates against SOC 2 Type II Trust Services Criteria, with an evidence package available under NDA. We also support customers pursuing their own SOC 2 by aligning our controls to their auditor's scope.
Is Agaro HIPAA Ready?
Yes. Administrative, physical, and technical safeguards for PHI are in place, and a Business Associate Agreement (BAA) is available on request for healthcare engagements.
Where does my data live?
Per-deployment isolation with AES-256 encryption at rest and TLS 1.3 in transit. Each customer environment is logically separated, with role-based access controls and audit logging on every system action.
Do you use my data to train models you sell to other customers?
No. Your business data, conversations, and documents are not used to train models we deploy for other customers. Configurations and tuning stay scoped to your engagement.
What does Agaro's uptime commitment look like?
A 99.9% uptime SLA on production engagements, with monitoring, automated failover, and written postmortems for any covered outage.
Do you offer compliance support?
Yes. We help customers map our controls to their own SOC 2, HIPAA, GDPR, ISO 27001, NIST AI RMF, and CCPA/CPRA programs — including DPA, BAA, sub-processor register, and TIA artifacts where applicable.
Need the full controls list — or compliance support?
SOC 2 evidence package, DPA, BAA, sub-processor register, and auditor-facing artifacts available under NDA. Send a note from a corporate email and we'll have a copy over within one business day.