Your Data Never Leaves Your Infrastructure

We manage AI agents. You own the environment they run in. That separation is by design — and it's non-negotiable.

Core Principles

01

Your infrastructure, your control

Every agent runs inside your cloud accounts or on-premises servers. We deploy to your environment — we never ask you to send data to ours.

02

Zero data exfiltration

Agent processing happens locally. Inputs, outputs, logs, and intermediate states all remain within your network boundary.

03

Scoped, auditable access

Our management access is limited to agent configuration and performance monitoring. Every action is logged. Access can be revoked at any time.

04

You can verify everything

We provide full deployment manifests, network diagrams, and access logs. If you want to audit us, we'll hand you the keys.

Data Isolation

Network-Level Separation

Agents operate within your VPC or private network. No inbound or outbound connections to AfrexAI infrastructure are required for agent operation.

  • Agents deployed inside your VPC / private subnets
  • No data transmitted to AfrexAI servers
  • Management channel uses encrypted, authenticated tunnel with your approval
  • All agent-to-agent communication stays within your network

Tenant Isolation

Each customer deployment is completely independent. There is no shared infrastructure, no shared databases, and no cross-tenant access of any kind.

Encryption

Data at Rest

All agent data — configuration, logs, cached outputs — is encrypted using your cloud provider's native encryption (AWS KMS, Azure Key Vault, GCP KMS) or your own key management system.

Data in Transit

All communication between agents and integrated systems uses TLS 1.3. The management tunnel between your environment and our monitoring dashboard uses mutual TLS with certificate pinning.

Key Management

You control all encryption keys. We never have access to your master keys. Agent credentials are stored in your secrets manager — not ours.

Access Controls

Least-Privilege Access

Our management access follows the principle of least privilege. We can update agent configurations and view performance metrics — nothing more.

  • Role-based access with time-bound sessions
  • No access to your business data, databases, or file systems
  • All access logged with immutable audit trail
  • Break-glass procedures require dual approval
  • Access revocable by you at any time — instantly

Authentication

Management access requires SSO integration with your identity provider, multi-factor authentication, and IP allowlisting. We work within your existing IAM policies.

Compliance

SOC 2 Type II — In Progress

We are actively pursuing SOC 2 Type II certification. Our target completion date is Q3 2026. In the meantime, we provide detailed security questionnaire responses and are happy to work with your security team directly.

Frameworks We Support

Our deployment practices are designed to be compatible with your existing compliance requirements:

GDPR HIPAA SOX ISO 27001 PCI DSS CCPA FCA NIST CSF

Data Processing Agreements

We sign DPAs that reflect the reality of our architecture: we manage agents, we don't process your data. Our legal framework is built around this distinction.

Questions about security?

We're happy to walk through our architecture with your security and compliance teams.

Book a Security Review