SentientOneSentientOne Docsv1.0.1686
Back to Platform

Security

Security isn't an afterthought — it's built into every layer of the SentientOne AI platform. From how we handle your API keys to how data flows between services, we follow industry-leading standards to keep your information protected.

At a glance

Compliance & standards
SentientOne security postureAudited annuallyDownload SOC 2

SOC 2

Type II

GDPR

Compliant

ISO 27001

Certified

OWASP

Top 10 covered

AES-256 at restTLS 1.3 in transitRBACPer-org encryption keysNo data training

Platform controls

Encryption at rest & in transit

All data is encrypted using AES-256 at rest and TLS 1.3 in transit. API keys, LLM provider credentials, and conversation data are never stored in plaintext.

API key authentication

Every request is authenticated via scoped API keys. Keys are hashed before storage, rate-limited per key, and can be rotated or revoked instantly from the dashboard.

Data isolation

Each organisation's agents, conversations, and credentials are fully isolated. Row-level security policies ensure no cross-tenant data access, even at the database layer.

Audit logging

Every API call, agent configuration change, and authentication event is logged with timestamps and user context. Full audit trails for compliance and forensics.

LLM provider key security

Your OpenAI, Anthropic, Gemini, and Groq keys are encrypted with per-organisation encryption keys and stored in a dedicated secrets vault. They are only decrypted server-side at the moment of an LLM call and are never exposed in API responses — the platform always returns masked values (e.g. ••••••••sk-4f2a).

No data training

Your conversations and agent prompts are never used to train any models. Data flows through the platform to the LLM provider and back — we don't retain, analyse, or share your content beyond what's needed to deliver the service and what you opt into in Observability.

Role-based access control

  • OwnerOne per organisation. Manages billing, members, and full agent configuration. Receives all admin email alerts.
  • AdminManages agents, knowledge sources, and members. Cannot change billing or transfer ownership.
  • MemberInteracts through the chat interface only. Sees only the agents they've been explicitly granted — see Organization → Members.
  • API consumerA platform API key scoped to your account. Can call any agent via X-Agent-Id — restrict agents by deleting or disabling them.

Compliance & standards

  • SOC 2 Type IIAnnual independent audit covering security, availability, processing integrity, confidentiality, and privacy. Report available under NDA — contact sales.
  • GDPREU data subject rights honoured, including export and erasure. EU data residency available on Pro+ via Hosting.
  • ISO 27001Certified information security management system covering platform engineering, infrastructure, and data handling.
  • OWASP Top 10Covered as part of the secure SDLC — every release passes static analysis, dependency scanning, and quarterly third-party pen tests.

Reporting a vulnerability

Email security@sentientone.ai with reproduction steps. We acknowledge within one business day and run a coordinated disclosure programme for verified reports.