Trust, stated honestly.
We're early, and we say so. Here's exactly how we handle your data, prove what happened, and earn our certifications.
Three commitments we'll hold ourselves to.
These aren't aspirations. They're how AegisMesh is built — the things a security team should be able to verify before trusting us with AI agents that touch real systems.
Your data stays in your environment
AegisMesh deploys into your own environment; we never see your code, prompts, or data — only the decisions and records you keep.
Tamper-proof by design
The record of what every agent did can't be quietly changed; it's the evidence that holds up in an audit or incident.
Least privilege, by default
Every agent is tied to a real owner and gets only the access it needs.
Where we are, said plainly.
We'd rather under-claim than overstate. Here's what's in place today, what's in progress, and what you can ask of us during onboarding — with nothing claimed that we don't yet hold.
SOC 2 Type II — in progress
We're actively pursuing SOC 2 Type II. We'll publish the report once it's earned — not before. Happy to share our current status and timeline under NDA.
Certifications published as earned
As we complete each certification and attestation, it goes here with its scope and date. No badges for things in flight — only what we can actually back up.
Security review at onboarding
We complete your security review — CAIQ, SIG, or your own questionnaire — during onboarding, and provide data-processing terms for your legal team to sign.
If you find a flaw, we want to hear it.
Good-faith security research makes everyone safer, and we treat it that way. We acknowledge reports within two business days, work to fix high-severity issues within thirty, and credit researchers who report responsibly. We won't pursue legal action against good-faith research conducted under our policy.
- Acknowledged within 2 business days
- High-severity issues fixed within 30 days
- Good-faith researchers credited, with no legal action
Read the full policy and how to report: coordinated disclosure.
The honest answers.
If your question isn't here, ask us — we'll give you the real answer, including where we're still early.
Where does our data live?
In your environment. AegisMesh deploys into infrastructure you control, and your data stays there. You decide which decisions and records to retain, and where they're stored — we don't pull your code, prompts, or customer data out to us.
What can AegisMesh see?
Only the decisions and records you choose to keep — for example, that an agent asked to take an action and whether it was allowed. We don't see the contents of your code, your prompts, or your customer data. The sensitive material stays inside your environment.
How do you prove what an agent did?
Every agent action is written to a record that's tamper-proof by design: entries can't be quietly altered or removed after the fact. Each action is tied to a real owner, so when an auditor or incident responder asks "who did this, and was it allowed?", you have evidence that holds up rather than a guess.
Are you SOC 2 certified?
Not yet — and we won't claim it until we are. SOC 2 Type II is actively in progress, and we'll publish the report here the moment it's earned. In the meantime we're glad to share our current status, timeline, and controls under NDA, and to complete your own security questionnaire during onboarding.
How do agents map to our people?
Every agent is tied to a real owner — a person and team from your own identity provider — and gets only the access it needs to do its job. So accountability is built in: an agent's actions trace back to an accountable human, and "the system did it" is never the end of the answer.
Have a security question? Talk to us.
Send us your questionnaire, your toughest question, or a request for our current compliance status. We'll answer honestly — including where we're still early.