Security Model¶
Ag2Trust is built with enterprise security requirements in mind. This document covers the security architecture and features.
Security Overview¶
┌─────────────────────────────────────────────────────────────┐
│ Security Layers │
├─────────────────────────────────────────────────────────────┤
│ Edge: Cloudflare WAF, DDoS Protection │
├─────────────────────────────────────────────────────────────┤
│ Transport: TLS 1.2+, HTTPS everywhere │
├─────────────────────────────────────────────────────────────┤
│ Authentication: Firebase JWT, API Keys │
├─────────────────────────────────────────────────────────────┤
│ Authorization: RBAC, Resource isolation │
├─────────────────────────────────────────────────────────────┤
│ Data: KMS encryption, PII redaction │
├─────────────────────────────────────────────────────────────┤
│ Runtime: Container isolation, Network segmentation │
└─────────────────────────────────────────────────────────────┘
Authentication¶
Dashboard Authentication¶
The Ag2Trust Dashboard uses Firebase Authentication:
- Email/password login
- Google OAuth 2.0
- Session management with secure tokens
- Automatic token refresh
API Authentication¶
The Customer API uses API key authentication:
API Key Security:
| Measure | Implementation |
|---|---|
| Storage | Bcrypt hash (never plain text) |
| Caching | Redis cache with 5-minute TTL |
| Format | cust_ prefix + 32+ character token |
| Revocation | Immediate effect |
Authorization (RBAC)¶
Role Hierarchy¶
Permission Matrix¶
| Action | Owner | Admin | Member | Viewer |
|---|---|---|---|---|
| View resources | Yes | Yes | Yes | Yes |
| Create/edit agents | Yes | Yes | Yes | No |
| Manage teams | Yes | Yes | Yes | No |
| Manage users | Yes | Yes | No | No |
| Manage providers | Yes | Yes | No | No |
| Manage API keys | Yes | No | No | No |
| Billing access | Yes | No | No | No |
| Delete organization | Yes | No | No | No |
Resource Isolation¶
All resources are scoped by organization (customer_id):
- Agents belong to organizations, not users
- Queries always filter by customer_id
- Cross-organization access is impossible
Data Encryption¶
At Rest¶
Provider Credentials (API Keys):
┌─────────────────────────────────────────────┐
│ KMS Envelope Encryption │
│ │
│ 1. Generate random DEK (AES-256) │
│ 2. Encrypt credential with DEK │
│ 3. Wrap DEK with KMS master key │
│ 4. Store: encrypted_credential + wrapped_DEK│
└─────────────────────────────────────────────┘
Database:
- PostgreSQL with encrypted connections (SSL required)
- Managed database with automatic encryption at rest
In Transit¶
| Connection | Encryption |
|---|---|
| Client → Cloudflare | TLS 1.2+ |
| Cloudflare → Origin | TLS 1.2+ (Full Strict) |
| Backend → Database | SSL required |
| Backend → Redis | TLS (rediss) |
| Agent → LLM Provider | TLS 1.2+ |
PII Protection¶
Ag2Trust automatically redacts PII in all content—both inbound (user messages) and outbound (agent responses).
Bidirectional Redaction¶
| Direction | What's protected | Example |
|---|---|---|
| Inbound | User messages to agents | "My email is john@example.com" → "My email is [EMAIL]" |
| Outbound | Agent responses to users | Responses are scanned before delivery |
| Audit logs | All logged content | PII-safe by default |
Detected PII Types¶
- Email addresses
- Phone numbers
- US Social Security Numbers
- Credit card numbers
- IP addresses
- Names (when detectable)
- Dates of birth
- Financial account numbers
Fail Mode Behavior¶
PII redaction has different fail modes depending on direction:
| Direction | Fail Behavior | Rationale |
|---|---|---|
| Inbound | Fail-closed (request blocked) | Don't process unredacted user PII |
| Outbound | Fail-open (response passes) | Availability over blocking responses |
| Audit logging | Fail-closed (placeholder logged) | Never store raw PII in logs |
Operational Consideration
If the PII service experiences an outage:
- Inbound requests return
503 Service Unavailable - Outbound responses may contain unredacted content from agent outputs
- Audit logs use
[PII_SERVICE_UNAVAILABLE]placeholder
Implementation¶
Ag2Trust uses Microsoft Presidio for PII detection and redaction. Redaction is centralized in a dedicated PII service—no other component performs PII detection.
Container Security¶
Agent Isolation¶
Each agent runs in an isolated Docker container:
Security measures:
- Non-root user execution
- Read-only /app directory
- Write access only to /workspace
- Resource limits (memory, CPU)
- No privileged capabilities
Network Segmentation¶
┌─────────────────────────────────────────┐
│ ag2trust-internal │
│ (Redis, PostgreSQL - no internet) │
├─────────────────────────────────────────┤
│ ag2trust-public │
│ (LLM API access only) │
└─────────────────────────────────────────┘
Agents are dual-homed:
- Internal: Redis messaging
- Public: LLM API calls only
Rate Limiting¶
Defense-in-depth rate limiting:
| Layer | Location | Limits |
|---|---|---|
| Edge | Cloudflare | Rate limited |
| Proxy | Nginx | Rate limited |
| Application | Backend | Rate limited by endpoint |
| Agent | Runtime | Rate limited by tool/runtime |
Audit Logging¶
Agent Audit Logs¶
All agent interactions are logged:
{
"timestamp": "2025-01-15T10:30:00Z",
"agent_id": "uuid",
"customer_id": "uuid",
"event_type": "message",
"content": "[REDACTED]",
"tokens_used": 150,
"model": "gpt-4o"
}
Note: Content is PII-redacted before storage.
Compliance Audit Logs¶
System events for compliance:
{
"timestamp": "2025-01-15T10:30:00Z",
"event_type": "user_login",
"actor_id": "user-uuid",
"customer_id": "uuid",
"ip_address": "[REDACTED]",
"details": {...}
}
Retention¶
| Log Type | Default Retention | Configurable |
|---|---|---|
| Agent audit logs | 90 days | 30-365 days |
| Compliance logs | 7 years | No |
Configure retention in Settings > Data Retention.
GDPR posture (avoid over-claims)¶
Ag2Trust includes controls that support GDPR-aligned operations (retention controls, audit logging, encryption), but this document should avoid blanket claims like “GDPR compliant” unless you can point to concrete legal/process artifacts.
Data Subject Rights¶
| Right | Implementation |
|---|---|
| Access | Export your data via Settings |
| Erasure | Delete organization removes all data |
| Portability | Export in machine-readable format |
| Rectification | Edit via Dashboard |
Data Retention¶
- Configurable retention periods (30-365 days)
- Automatic cleanup job runs daily
- Compliance audit logs retained for 7 years
Data Processing¶
- All data processed within your chosen region
- No data sharing with third parties (except LLM providers)
- LLM providers receive only message content (no PII metadata)
Security Best Practices¶
For Administrators¶
- Use strong passwords and unique credentials
- Rotate API keys regularly
- Limit user roles to minimum necessary
- Monitor audit logs for unusual activity
- Configure retention per compliance requirements
For Developers¶
- Never expose API keys in client-side code
- Use environment variables for credentials
- Validate webhook signatures for authenticity
- Implement retry logic with exponential backoff
- Handle rate limits gracefully
For System Prompts¶
# Good: Set boundaries
You must never:
- Share internal information
- Execute harmful commands
- Bypass safety guidelines
# Avoid: No boundaries
You are a helpful assistant (no constraints)
Incident Response¶
Reporting Security Issues¶
If you discover a security vulnerability:
- Do not disclose publicly
- Email: security@ag2trust.com
- Include detailed description
- We'll respond within 24 hours
See our Security Disclosure policy for scope and safe-harbor guidance.
Security Updates¶
- Critical patches deployed immediately
- Security advisories published as needed
- Customers notified of relevant issues
Compliance¶
Current (technical controls)¶
- PII redaction in audit logs
- Configurable data retention
- Audit trail for actions
Roadmap¶
- SOC 2 Type II (planned)
- HIPAA BAA (planned)
- ISO 27001 (planned)
Security Architecture Diagram¶
Internet
│
▼
┌─────────────────┐
│ Cloudflare │
│ WAF + DDoS │
└────────┬────────┘
│ TLS
▼
┌─────────────────┐
│ Nginx │
│ Rate Limiting │
└────────┬────────┘
│
┌─────────────┼─────────────┐
│ │ │
▼ ▼ ▼
┌─────────┐ ┌─────────┐ ┌─────────┐
│ Backend │ │Customer │ │ Admin │
│ API │ │ API │ │ Panel │
└────┬────┘ └────┬────┘ └────┬────┘
│ │ │
└─────────┬──┴────────────┘
│
┌──────────────┼──────────────┐
│ │ │
▼ ▼ ▼
┌────────┐ ┌─────────┐ ┌─────────┐
│ Redis │ │Postgres │ │ KMS │
│internal│ │ (SSL) │ │(encrypt)│
└────────┘ └─────────┘ └─────────┘
│
▼
┌─────────────────────────────────────┐
│ Agent Containers │
│ (isolated, non-root, rate-limited) │
└─────────────────────────────────────┘