Safety by design
Letting agents take real action only works when you can trust the boundaries. OrgSDK isolates every tenant, encrypts every credential, scopes every tool, and records every run. This page states what is true today.
What is true today
Controls that ship out of the box
No enterprise add-on required. Each of these is part of every plan.
Per-tenant isolation
Each organisation has a separate security boundary. Agent state, credentials, and work do not cross tenant boundaries.
Encrypted credentials
API keys and OAuth tokens are encrypted at rest, limited to their approved scope, and not logged in plaintext.
Scoped plugins
Every tool an agent can call is an explicitly attached plugin, scoped per agent. Nothing reaches into your stack unless you wire it up.
Bounded workflow execution
Typed, versioned workflows can call only the tools enabled for their agent, keeping execution controlled and inspectable.
Human approvals
Pause any workflow for a human decision before a risky action. Approve, reject, or reply from the dashboard — every gate is recorded.
Audit & run logs
Every run records its steps, tool calls, and results. The activity feed is an append-only record of what your agents did, and when.
How credentials are handled
Your keys stay encrypted, scoped, and yours
- Encrypted at rest. OAuth tokens and API keys are encrypted at rest and available only within the approved scope where they are needed.
- Exposed through scoped plugins. Credentials remain limited to the agents and tools explicitly authorized to use them.
- Never logged in plaintext. Secrets are not written to logs, traces, or audit entries.
Current scope
What OrgSDK does not offer today
An honest statement of the boundaries of the current service — so nothing here is read as a commitment to a certification or feature that is not part of the product.
OrgSDK does not currently hold SOC 2, HIPAA, or equivalent attestations, and does not offer single sign-on (SSO) or dedicated infrastructure as a product. Nothing on this page should be read as a certification, a service-level agreement, or a statement of plans for any of the above.
Reporting a security issue
Found a vulnerability or have a security question for a review? Email us — we take responsible disclosure seriously.