Security

Security your team gets out of the box.

Scanners on every publish. Role-based access on every plan. A complete audit trail your security team can actually use.

Every plan

Four protections you don’t have to ask for.

These are not premium add-ons. Every AgentBundle account — Free included — ships with them by default, so the riskiest parts of running agents inside an org are covered before anyone has to think about them.

Secret scanner

Catches API keys, tokens, and credentials accidentally pasted into agent prompts or configs. Runs on every publish; if it trips, the publish is blocked before it can reach a teammate’s runtime.

Prompt-injection scanner

Catches jailbreak and override patterns hidden in agent prompts before downstream agents run them. Same publish-time gate as the secret scanner.

Role-based access

Owner, Admin, and Member roles per organization, enforced server-side — not just hidden in the UI. Your members only see and edit what their role permits.

Activity log

Every publish, install, edit, and role change is recorded with the actor and timestamp. The basic log ships on every plan; full retention and export are available on Business and above.

Business and above

Governance for teams that need a paper trail.

When your security or compliance team needs more than the always-on baseline, the Business tier adds controls you can hand to them with confidence.

Approval workflow: Configure N-required reviewers on agent publishes. Publishes hold until the configured reviewers sign off. Every approval and rejection lands in the audit log with the reviewer’s identity and timestamp.
Full audit log + export: Complete activity history with before/after diffs on every change. Export to CSV from the dashboard, or pull via the audit-export API for ingestion into your SIEM or warehouse.
Department-level admins: Delegate admin permissions to a specific department. The Sales department admin manages Sales agents; the Engineering department admin manages Engineering agents. Org owners retain final control.
Custom APM policy: Encode your organization’s rules — dependency allowlists, banned MCPs, allowed runtimes, required manifest fields — as policy that applies to every publish, every team. Detailed below.

APM policy

Lock down what your agents can do.

APM (Microsoft’s open packaging spec for agents) gives every package a manifest. Define an apm-policy.yml once. Every published agent in your org — across every team and every runtime — must comply. Enforced at publish, before a teammate can install anything that violates it.

Dependencies

Lock down which APM packages your agents can depend on.

Allowlist — glob patterns like org/** or community/safe-tools. Empty means open.
Denylist — blocked even if allowed by a pattern above (e.g. evil/**).
Required — packages every agent must include (e.g. org/baseline).
Cap — 1–10 dependencies per agent, or no cap.

MCP servers

Restrict which MCPs agents can require — and which transports are allowed.

Allowlist — registry refs or globs (e.g. github, linear). Empty means open.
Denylist — specific MCPs blocked (e.g. web-search).
Transports — pick from stdio, http, sse.
Transitive — MCPs pulled in indirectly must also pass the allowlist.

Compilation targets

Choose which apm pack —target outputs are allowed.

Claude Code
Cursor
GitHub Copilot
OpenCode
Gemini CLI
OpenAI Codex
Windsurf

Anything not selected is rejected at publish.

Manifest

Control what every apm.yml must declare and which scripts can run.

Required fields — every apm.yml must include them (e.g. description, license).
Allowed scripts — whitelist named scripts (e.g. build). Empty means no scripts allowed at all.

APM policy enforcement is available on Business and above. Policies are versioned and audited just like agents — every change shows up in the audit log with the actor, timestamp, and the prior policy text.

Version lifecycle

Take a bad version back.

Every publish is an immutable version. When something ships and you need to walk it back, the platform has three escape hatches.

Revert

Roll the canonical “live” pointer back to any prior version with one action. The bad version stays in history; the rolled-back version is what new installs pick up. Useful when you ship a regression and need to restore the last-known-good immediately.

Deprecate

Mark a version as deprecated. New installs of that version still succeed but ship with a warning header so consumers know to migrate. Existing consumers can keep running it while they upgrade. Useful for sunsetting old behavior gracefully.

Recall

Mark a version as recalled. New installs are blocked outright (HTTP 410 Gone). Use when a version contains a serious bug, a leaked secret, or a policy violation — anything that needs to stop spreading immediately. The audit log captures who recalled it and why.

All three are governed by the same role-based access and approval rules as publishing. The audit log records every status change with the actor, timestamp, and reason.

Your data exposure

What lives in AgentBundle, and what doesn’t.

Knowing the data surface is the first thing your security review will ask about. Here’s the short answer.

What’s stored

Agent definitions (prompts, skills, MCPs, guardrails)
Member metadata (work email, name, role)
Billing details
Audit events

What’s not

Conversation transcripts from your runtimes (Claude, Cursor, etc.)
Agent inputs or outputs at runtime
Anything we’d need to train a model on — we don’t operate one

Where it lives

Managed PostgreSQL operated by Neon, hosted in the United States. Encryption at rest is provided by the database; data in transit is TLS-protected. The full sub-processor list is in our privacy policy.

How it leaves

Account deletion is soft-delete first: the org is hidden from the UI immediately and queued for hard-delete after the retention window. Owners can restore during the window. Once hard-delete runs, the data is unrecoverable.

Compliance

What your auditors can rely on.

If your team needs an attestation or a specific regulatory answer, here’s where AgentBundle stands today and where it’s heading.

Attestations

Framework	Status	Notes
SOC 2 Type II	Planned	Pursued in line with enterprise customer demand.
ISO 27001	Planned	Pursued in line with enterprise customer demand.

Regulations

Regulation	What you can expect
GDPR	Minimal personal data is collected and never transferred outside our processors. Org-wide data export and account deletion are available through the in-product danger-zone tools. A data processing addendum is available on request.
CCPA / CPRA	Data export and account deletion are supported for any organization that requests it. Personal information is not sold; the in-product opt-out is therefore unnecessary but always honored if requested.
HIPAA	Business Associate Agreements are not currently signed; AgentBundle is not intended for storing protected health information. Reach out if your organization needs this.