Security

Your data is safe. Here is how we protect your information at every level.

Encryption

All sensitive information — your API keys, passwords, and custom secrets — is encrypted before it is stored. We use AES-256-GCM, the same encryption standard used by banks and governments.

Your keys are only decrypted inside your agent's container, in memory, at the moment they are needed. They are never written to disk in plaintext, and they are never visible to anyone — not even our team.

Isolation

Every user gets their own private space on the platform. Think of it like having your own apartment in a building — you have your own keys, your own rooms, and no one else can enter.

• User isolation — Your agents, data, and secrets are completely separated from every other user. There is no way for one user's agents to see another user's data.
• Agent isolation — Each of your agents runs in its own container with its own dedicated resources (CPU, memory, storage). Agents cannot interfere with each other.
• Memory isolation — Each agent's long-term memory is private. An agent can only access its own memories, even within the same account. This is enforced at the database level, not just the application level.

Authentication

We use multiple layers of authentication to make sure only you can access your account and agents:

• Sign in with Google — We use Google OAuth with your company account for sign-in, so you do not need to create or remember a separate password.
• API authentication — Every API request requires a valid authentication key. Unauthorized requests are rejected immediately.
• Agent tokens — Each agent has its own unique security token that is automatically rotated. Communication between agents uses these secure tokens.

Infrastructure Security

The platform itself is built with security at every layer:

• Encrypted connections — All communication between services is encrypted using mutual TLS (mTLS). This means both sides of every connection verify each other's identity and encrypt the data in transit — like a phone call where both people must show ID before talking.
• Default-deny networking — No service can talk to another service unless it has been explicitly allowed. This prevents unauthorized access even if something goes wrong internally.
• Firewall rules — Only the necessary ports are open. Everything else is blocked by default.
• Short-lived credentials — Internal security tokens are automatically generated, short-lived, and rotated frequently. There are no long-lived passwords stored anywhere in the system.

BYOK Security Benefit

Autonomis uses a Bring Your Own Key model. You provide your own API key from your AI provider (Anthropic, Google, OpenAI, or Moonshot). This gives you a major privacy advantage:

Since your agent talks directly to the AI provider using your key, we never see your conversations. Messages flow directly between your agent and the AI provider. Autonomis provides the infrastructure, but your actual AI interactions remain completely private.

Safe Error Handling

When something goes wrong, the platform is careful about what information it shares. Error messages are kept generic on purpose — internal details like file paths, server names, and system configurations are never exposed. Detailed error information is only logged internally for our team to investigate.

Guaranteed Resources

Your agents always get their full dedicated resources. We use honest scheduling — we do not overcommit memory or CPU. This means your agents will not slow down or crash because other users are consuming too many resources.