Security & Trust

How we protect your data and earn your trust.

Last updated: May 2026

Data Residency

Your data is hosted on US-based cloud infrastructure with managed PostgreSQL databases. Each environment runs on isolated instances.

Encryption

All data in transit is encrypted via TLS 1.2+. HSTS is enforced with a 1-year max-age, including subdomains, with preload.

Stored secrets (webhook keys, integration tokens) are encrypted using Fernet symmetric encryption. Database credentials and API keys are never stored in plaintext.

Tenant Isolation

All data queries are scoped to your organization at the database layer. There is no shared-tenancy data access — your traces, metrics, and logs are invisible to other organizations.

PII Redaction

AgentVista provides configurable PII redaction applied at ingestion time. Define regex patterns to strip sensitive data (API keys, emails, SSNs, etc.) before it is stored.

Redaction is org-configurable and applied before data hits the database.

Authentication

  • API key authentication with SHA-256 hashing and scoped permissions (read / write / admin).
  • Dashboard access via JWT with short-lived tokens and refresh rotation.
  • Rate limiting on all authentication endpoints.

Security Headers

Every response includes hardened security headers: CSP with nonce-based script loading, X-Frame-Options DENY, Referrer-Policy strict-origin-when-cross-origin, and HSTS with preload.

CI/CD Security

Automated security scanning runs in CI on every pull request:

  • Bandit — Python static application security testing (SAST).
  • detect-secrets — pre-commit hook to prevent accidental credential leaks.
  • pip-audit / npm audit — dependency vulnerability scanning.

Data Retention

Configurable retention periods based on your plan tier. Data is soft-deleted with a 24-hour grace period before permanent removal.

See the full Data Retention Policy for tier-specific details and deletion request procedures.

Breach Notification

We commit to notifying affected customers within 72 hours of confirming a data breach, consistent with GDPR Article 33 timelines.

Contact: security@agentvista.dev

Vulnerability Disclosure

We welcome responsible security research. See our full Vulnerability Disclosure Policy for scope, safe harbor, and reporting instructions.

Open-Source SDK

Our Python SDK is open-source — inspect the code that runs in your infrastructure before you deploy it. We believe transparency is fundamental to trust in the observability layer.