AgentIQ
Start free
Trust & security

Customer data
treated like our own.

AgentIQ is built for teams that handle real customer information. We default to tenant isolation, encrypted secrets, MFA-on for admins, and an audit trail you can export. Below is what's live today — and what's on the roadmap.

Encryption everywhere

TLS 1.3 for every request. AES-256-GCM at rest for sensitive credentials (IMAP passwords, channel tokens, OAuth refresh tokens). Cloud-managed KMS for envelope-encrypted secrets when available.

Per-organisation isolation

Multi-tenant by default with row-level workspace scoping. Every query is filtered by org id at the service layer — cross-tenant reads cannot happen by accident, and the same boundary enforces SSO logins.

RBAC + custom roles

Built-in roles (Admin, Manager, Agent, Viewer) plus org-defined custom roles with fine-grained permission keys. Role changes are audit-logged. Self-role-change is blocked.

Audit log

Append-only audit log records every state-changing action: claim, escalate, resolve, SSO sign-in, role change, export, MTD submit. Exportable to CSV for compliance evidence.

SSO via SAML

SP-initiated SAML 2.0 with signed assertion verification. Drop your IdP's signing cert, point the IdP at our ACS endpoint, and admins can enforce SSO at the org level.

Visibility for admins

Session list per user with one-click revoke. MFA-enforced for admin roles. Notification-preference per user controls who is reachable for which kind of alert.

Compliance & data handling

  • Data residency: production data lives in EU-region infrastructure. Customer choice of region is on the roadmap.
  • GDPR: right-to-erasure flow, data export endpoint, and per-org data-retention policies are exposed in workspace settings.
  • SOC 2: currently in pre-audit. We follow the control catalogue today; certification is in progress.
  • DPAs: available on request for any workspace on a paid plan.

Reporting a vulnerability

Found something? Email security@xonlabs.co.uk with a clear reproduction. We acknowledge within one business day and keep you updated through the disclosure cycle. We do not pursue good-faith researchers.

Need a custom security review?

Procurement, SIG-Lite, vendor questionnaires — we'll work with your team.

Get in touch