Security & Trust

We’re building Agenteam5 with security baked in from day one. This page lists exactly what we do today — not aspirational, not future state.

What we have today

Encryption

• HTTPS everywhere (HSTS preload-eligible, TLS 1.3).
• Database encryption at rest (Neon’s managed PostgreSQL).
• Sentry session replays mask all form inputs by default.
• Sensitive environment variables are stored as “sensitive” in Vercel and never echoed to logs.

Authentication & authorisation

• Authentication delegated to Clerk — supports email + Google sign-in, with MFA options.
• Passwords are never seen, stored, or transmitted by Agenteam5.
• Sensitive routes (/admin, billing, settings, integrations) require a valid Clerk session enforced at the middleware layer.
• Polar handles all card data; we never see PAN, CVC, or expiry. We only see the order outcome via signed webhook.

Operational controls

• Single-developer team, all code reviewed before merge to main.
• Dependency updates tracked; critical CVEs patched as they appear.
• Build and deploy from a single source of truth (GitHub main → Vercel production).
• Errors flow into Sentry; metrics into PostHog; we monitor both.

Data minimisation

• We collect only data needed to deliver the product (see the Privacy Policy).
• Application logs purge after 24 hours.
• Account deletion erases personal data within 30 days.
• OAuth tokens for connected integrations are held by Composio, not by us.

Sub-processors

The full list of sub-processors lives in the Privacy Policy. Each is named, scoped, and linked to their privacy notice.

Compliance roadmap

Agenteam5 is currently a small product. We are not yet certified against SOC 2, ISO 27001, or HIPAA. We follow the spirit of those frameworks (least privilege, encryption, vendor due diligence, incident response) and will pursue formal certification as customer demand justifies the audit cost. If a SOC 2 report is a hard requirement for your use of Agenteam5, please contact us — we can share our security questionnaire and discuss timelines.

We comply with GDPR (EU/EEA), UK GDPR, and CCPA/CPRA (California). Data Processing Addenda are available on request.

Responsible disclosure

Found a vulnerability? Please report it to security@agenteam5.com (or hello@agenteam5.comif the security alias isn’t set up yet) before disclosing publicly. Include a clear repro and the version/commit you tested. We will:

• Acknowledge within 72 hours.
• Triage and confirm within 7 days.
• Fix critical issues within 14 days; high within 30; lower severity on a best-effort basis.
• Credit you in the fix notes if you wish.

We do not currently run a paid bug bounty program. We will not take legal action against good-faith researchers who follow this policy and avoid harming users or data.

Incident response

If a security incident affects your data we will notify you by email without undue delay, in line with GDPR (within 72 hours of becoming aware of a personal data breach where required) and applicable breach-notification laws. Our notification will describe what happened, what data was affected, what we’re doing about it, and what you can do.

Status

Live system status, planned maintenance, and incident history will be available at status.agenteam5.com once published.