Security

Built to protect your money, not just your data.

AgentGate is a financial tool. We don't settle for ordinary SaaS security levels. Here's exactly what we do to protect your account, your payments, and your history.

Login & access

  • Passwords are encrypted one-way β€” nobody can read them, not even us
  • Two-factor authentication available for all accounts (code via mobile app)
  • Secure sessions: your login cannot be stolen from another website
  • Automatic logout if your organisation no longer exists (protection against ghost sessions)

Who can do what

  • Each organisation is completely isolated β€” one user cannot see another organisation's data
  • 4 permission levels: Owner, Admin, Approver, Viewer
  • Your AI can submit requests, but only a human can approve them
  • Each agent has its own access key β€” a compromised agent doesn't affect others

A history no one can touch

  • It is technically impossible to edit or delete a past event β€” even for us
  • Each action is chained to the previous one β€” any tampering is immediately detectable
  • Approvals, rejections, role changes, webhook deliveries: everything is recorded
  • You can verify the full integrity of your history at any time

Infrastructure

  • Hosted in Europe by default (data subject to GDPR)
  • All communications encrypted in transit (HTTPS enforced everywhere)
  • Daily encrypted backups with point-in-time recovery on paid plans
  • Full isolation between test mode and production

No nasty surprises

  • Automatic duplicate detection β€” the same transaction can never be executed twice
  • Notifications sent to your system are signed β€” impossible to forge
  • Cap checks and payment creation are atomic β€” no race conditions

How we work

  • Every code change is peer-reviewed before going to production
  • Automated testing and dependency vulnerability scanning on every deploy
  • Annual penetration test by a third-party firm (report available for Enterprise customers)
  • Production access only via time-limited sessions with two-factor authentication

Compliance

GDPR

Compliant

EU-hosted by default. Data Processing Agreement available on request.

SOC 2 Type 2

In progress

Observation period started Q1 2026. Target attestation: Q4 2026.

ISO 27001

Roadmap

Targeted for 2027 alongside our Enterprise plan rollout.

PCI DSS

N/A

We never process or store card data. Payments go through your own payment provider.

Data residency

Europe

Your data stays in Europe by default. Other regions available on Enterprise plans.

HIPAA

Out of scope

Healthcare-specific data is not currently supported. Contact us for industry-specific deployments.

Reporting a vulnerability

If you believe you've found a security issue, email us at security@agentgate.eu with reproduction details. We acknowledge within 24 hours and provide a fix timeline within 5 business days.

  • Please do not test on accounts other than your own.
  • Do not export data beyond what is needed to demonstrate the issue.
  • Give us a reasonable window before public disclosure (typically 90 days).

We publicly thank researchers who report issues (with their consent) once the problem is resolved.

Need our SOC 2 progress letter, the latest pentest summary, or a signed DPA?

Request our security packet β†’