Security & Compliance

Data Handling

Zero Data Retention

AgentShield does not store, log, or persist the text you send for classification. Request payloads are processed in-memory and discarded immediately after the response is returned.

No training on your data. No analytics on your content. No exceptions.

Transport Encryption

All API traffic is encrypted with TLS 1.3. API keys are hashed with SHA-256 before storage. We never store plaintext keys.

Stateless Architecture

The classifier runs as a stateless service — no session state, no user profiles, no cross-request correlation. Each classification is independent.

Infrastructure

Hosted on Hetzner dedicated servers in Germany (EU). No data leaves the EU. No third-party sub-processors for classification.

Security Practices

✓

API Key Authentication

SHA-256 hashed keys with per-tier rate limiting. Bearer token or X-API-Key header.
✓

Input Validation & Size Limits

Max 10,000 characters per request. Strict JSON schema validation. No code execution.
✓

CORS & Rate Limiting

Per-key daily limits enforced at the gateway. Configurable per tier.
✓

No Raw Payload Logging

Usage logs track request counts, latency, and threat classification — never the input text.
✓

Open Benchmark & Transparency

Public benchmark on 5,972 samples with published F1, precision, and recall. Full failure analysis available at agentshield.pro/benchmark.
✓

Dependency Auditing

Automated dependency scanning. Minimal dependency footprint (FastAPI, PyTorch, sentence-transformers).

Compliance Roadmap

Data Processing Addendum (DPA)

Q2 2026 — Complete

GDPR-ready DPA available on request. Covers data handling, retention (none), sub-processors (none), and breach notification.

EU Data Residency

Q2 2026 — Complete

All compute and storage within EU (Hetzner, Germany). No transatlantic data transfer.

SOC 2 Type I Readiness Assessment

Q3 2026 — In Progress

Gap analysis against Security, Availability, and Confidentiality trust service criteria. Current status:

Done: Access controls (API key auth, per-tier rate limiting), encryption in transit (TLS 1.3), zero data retention policy, change management via Git, incident response process, responsible disclosure policy
In progress: Formal risk assessment documentation, vendor management policy, employee security training program, business continuity plan
Planned: Audit firm engagement, evidence collection, control testing, readiness report

Self-Hosted Docker Image

Q2 2026 — Complete

Run the full classifier on your own infrastructure. No external API calls, no data egress. 17ms p50 latency on GPU.

SOC 2 Type II Audit

Q4 2026 — Planned

Full SOC 2 Type II certification with continuous monitoring over a 6-month observation period.

ISO 27001 Certification

Q1 2027 — Planned

International information security management system certification.

Responsible Disclosure

If you discover a security vulnerability in AgentShield, please report it to [email protected]. We aim to acknowledge reports within 24 hours and provide an initial assessment within 72 hours.

Data Handling

Zero Data Retention

Transport Encryption

Stateless Architecture

Infrastructure

Security Practices

API Key Authentication

Input Validation & Size Limits

CORS & Rate Limiting

No Raw Payload Logging

Open Benchmark & Transparency

Dependency Auditing

Compliance Roadmap

Data Processing Addendum (DPA)

EU Data Residency

SOC 2 Type I Readiness Assessment

Self-Hosted Docker Image

SOC 2 Type II Audit

ISO 27001 Certification

Responsible Disclosure

Questions about security?