Skip to main content

Security Posture

Last updated: April 2026

Zero-Trust by Default

We design and ship all of our agents, retrieval augmented generation systems, and control plane nodes with an implicit zero-trust architecture. Identity boundaries and multi-factor authentication requirements are enforced at the network layer before LLM processing occurs.

1. Data Architecture

When deploying a Secure Agent Platform node into your VPC, the application runs fully air-gapped from our headquarters. We utilize your own KMS keys to encrypt the local databases storing vector embeddings.

  • Local RAG: Vector indexing happens on your infrastructure.
  • Telemetry: Only masked latency and throughput metrics sync backward.
  • Inference: Prompts never traverse the open internet.

2. Compliance & Threat Monitoring

Our internal systems and deployment packages undergo extensive automated scanning and manual penetration testing:

  • Bi-weekly static/dynamic code analysis (SAST/DAST).
  • Quarterly third-party grey-box penetration tests performed by elite Red Teams.
  • Continuous Container Vulnerability Scoring for all images pulled by `sap-cli`.
  • SOC2 Type II attestation (Report available under NDA).

3. Responsible Disclosure & Bug Bounty

We firmly believe in the power of the security research community. If you have discovered a vulnerability in the Secure Agent Platform control plane, CLI, or web interface, we encourage you to securely report it to us.

Please encrypt communications using our public PGP key and submit all technical details including reproduction steps and payload captures to:

security@sap.example.com