Security & Trust

Your data stays yours. Always.

Your data is encrypted at rest and in transit, isolated per workspace, and never used to train models. Every agent action is logged with full provenance.

All systems operational

Controls

Security by default

Live

Encryption at rest & in transit

All data is encrypted at rest with AES-256 and in transit via TLS 1.3. Agent memory, task logs, workflow configs, and integration credentials are isolated per workspace.

Live

Full audit trail

Every agent action, decision, approval, and tool call is logged with full provenance — agent ID, timestamp, cost, input, output. You can query, export, or replay any event.

Live

No model training on your data

Your data is never used to train any model — ours or third-party. Workspace data is logically isolated. We make this a contractual guarantee, not a preference setting.

Live

Role-based access control

Granular RBAC across every workspace. Control who can create workflows, approve agent actions, view audit logs, and manage integrations — down to the individual agent level.

In progress

SOC 2 Type II

We are actively pursuing SOC 2 Type II certification. Our controls, policies, and audit processes are designed to meet the standard. Expected completion Q3 2026.

Disclosure

Reporting a security issue

We welcome security research and disclosure from the community. If you believe you've discovered a vulnerability affecting Harnyss, please report it to security@harnyss.ai.

Scope.In scope: the Harnyss platform at app.harnyss.ai and its APIs. Out of scope: third-party services we integrate with (please report those to the vendor directly), denial-of-service testing, social engineering of Harnyss employees or customers, physical attacks, and findings on systems you don't own or have explicit permission to test.

What to expect. We acknowledge reports within one business day and provide an initial assessment within five business days. Critical issues affecting customer data are remediated within seven days; lower-severity issues within thirty days.

Safe harbor. We will not pursue legal action against researchers who act in good faith, avoid privacy violations and service disruption, give us a reasonable opportunity to remediate before public disclosure (90 days by default), and only access data necessary to demonstrate the issue. Researchers acting outside these guidelines do not receive safe-harbor protections.

We currently do not operate a paid bug bounty programme, but we credit researchers who request it in our public security advisories.

Security questions?

We're happy to share our security documentation, answer specific questions, or schedule a technical review with your security team.

Contact security team