Security

Safety by design

Letting agents take real action only works when you can trust the boundaries. OrgSDK isolates every tenant, encrypts every credential, scopes every tool, and records every run. This page states what is true today.

What is true today

Controls that ship out of the box

No enterprise add-on required. Each of these is part of every plan.

Per-tenant isolation

Each organisation has a separate security boundary. Agent state, credentials, and work do not cross tenant boundaries.

Encrypted credentials

API keys and OAuth tokens are encrypted at rest, limited to their approved scope, and not logged in plaintext.

Scoped plugins

Every tool an agent can call is an explicitly attached plugin, scoped per agent. Nothing reaches into your stack unless you wire it up.

Bounded workflow execution

Typed, versioned workflows can call only the tools enabled for their agent, keeping execution controlled and inspectable.

Human approvals

Pause any workflow for a human decision before a risky action. Approve, reject, or reply from the dashboard — every gate is recorded.

Audit & run logs

Every run records its steps, tool calls, and results. The activity feed is an append-only record of what your agents did, and when.

How credentials are handled

Your keys stay encrypted, scoped, and yours

  • Encrypted at rest. OAuth tokens and API keys are encrypted at rest and available only within the approved scope where they are needed.
  • Exposed through scoped plugins. Credentials remain limited to the agents and tools explicitly authorized to use them.
  • Never logged in plaintext. Secrets are not written to logs, traces, or audit entries.

Current scope

What OrgSDK does not offer today

An honest statement of the boundaries of the current service — so nothing here is read as a commitment to a certification or feature that is not part of the product.

OrgSDK does not currently hold SOC 2, HIPAA, or equivalent attestations, and does not offer single sign-on (SSO) or dedicated infrastructure as a product. Nothing on this page should be read as a certification, a service-level agreement, or a statement of plans for any of the above.

Reporting a security issue

Found a vulnerability or have a security question for a review? Email us — we take responsible disclosure seriously.

[email protected]

Let your agents act, within bounds

Choose a plan with tenant separation and oversight built in.