AgentSure
← Back to Legal
AgentSure Legal · v0.1

Security

Effective 2026-05-13 · AgentSure Pte. Ltd. (UEN 202620442W)

A practical overview of the controls protecting customer data on AgentSure Quantify and related products. This page is updated as we ship new safety primitives.

1. Data at rest

  • Customer-provided LLM API keys: AES-256-GCM encryption with a per-key random nonce, stored in PostgreSQLmodels table columns (ciphertext, nonce, kid). Plaintext keys are never written to disk, logs, or audit records.
  • Database: Supabase Postgres (ap-southeast-1), AES-256 disk encryption by the cloud provider, automated backups with 7-day Point-in-Time Recovery.
  • Storage bucket: Supabase Storage reports bucket (private), accessed via signed URLs only.

2. Data in transit

  • TLS 1.3 minimum on all external endpoints (orchestrator API, web app)
  • Internal service-to-service traffic on Railway private networking
  • Postgres connections via Supavisor pooler with mandatory TLS

3. Access control

  • User authentication: Supabase Auth (HS256 JWT signed with project secret).
  • Application-layer scope guard: every API route enforces customer_id matching against the authenticated user's tenant.
  • Database-layer Row-Level Security (RLS): enabled on 10 tenant tables (customers, users, models, jobs, qe_runs, metrics, reports, ql_reviews, evidence_docs, controls). Service-role bypasses RLS for orchestrator operations; all other roles are tenant-scoped.
  • Internal access: AgentSure personnel access is tied to individual SSO identities (work email + 2FA), with least-privilege role assignment.

4. Audit logging

Every write to tenant tables triggers an audit_log entry capturing actor, action, entity, and detail. The table is protected by a Postgres trigger that rejects UPDATE / DELETE / TRUNCATE, making the log append-only. Targeted retention is 7 years (subject to legal-hold requirements).

5. Report integrity

  • Every Assessment Report is hashed with SHA-256 at render time. The digest is stored in reports.signed_hash and shipped in the X-AgentSure-Signed-Hash response header.
  • Share-token URLs are HS256 JWTs signed with a dedicated secret (separate key space from Supabase Auth). Tokens carry a configurable TTL (60 s – 7 d) and an audience claim that prevents reuse.

6. Customer-provided API credentials

When a customer provides API credentials for adversarial testing, we enforce:

  • Credentials stored encrypted at rest as described in §1
  • Plaintext exists only in the worker process memory during the active Assessment
  • Customer must configure a spend cap of ≤ USD 500 on the provider account
  • Customer must rotate credentials within 7 days post-Assessment
  • Customer remains liable for all usage charges on their provider account
See Acceptable Use Policy §3 for the full credential-handling contract.

7. Incident response

  • Notification window: 24 hours from awareness, to give customers time to make their own 72-hour PDPC notification (PDPA s.26D) or GDPR Article 33 notification.
  • Monitoring: Sentry for application errors, BetterStack for service health, Supabase Logs for database activity, PostHog for usage anomalies.
  • Runbook: documented internally (RACI matrix + escalation tree). Available under NDA to Underwrite customers.

8. Data residency

We default to Singapore data residency:

  • Supabase Postgres + Storage: ap-southeast-1
  • Vercel edge: SG / HKG regions
  • Railway compute: SG region migration in progress (currently US-East — see Subprocessors for status)
  • Customer-elected LLM endpoints: customer's choice

9. Compliance roadmap

  • 2026-Q3: Internal SOC 2 readiness assessment
  • 2026-Q4: SOC 2 Type I report (3-month observation window)
  • 2027-Q3: SOC 2 Type II report (12-month observation)
  • 2027-Q4: ISO 27001 certification process
  • 2028-Q2: ISO 42001 (AI Management System) — once stable certification body emerges

10. Coordinated vulnerability disclosure

We welcome security research. To report a vulnerability, please email security@agentsure.tech with reproducible steps. We aim to acknowledge within 2 business days and remediate critical issues within 30 days. Bug bounty programme is not currently active.

11. Questions

For security questionnaires (SIG-Lite, CAIQ, custom), contact security@agentsure.tech. We can usually respond to standard questionnaires within 5 business days.

AgentSure Pte. Ltd. · UEN 202620442W · 160 Robinson Road #14-04 SBFC, Singapore 068914

Questions: legal@agentsure.tech

Version v0.1 · Last updated 2026-05-13