Security and trust

Built for the certifications
your auditors ask about.

Defense, aerospace, and industrial buyers expect receipts. AgentsArmy is built so every action by every agent is signed, immutable, and exportable.

Certifications and controls

SOC 2 Type II

In progress

Targeting Q3 2026 audit. Controls already in place: SSO, audit logs, rate limits, role based access, tenant cost controls.

ITAR ready handling

Available on request

Controlled documents stored in role restricted vaults. Field level redaction runs before any agent reads them. Every access logged.

AS9100 and NIST 800-171

Compliance flowdown automated

Certifications continuously verified at the supplier level. Auditor agent maintains an immutable record of every action.

US data residency

Always

All RFQ, drawing, and supplier data stored in US regions. No cross border movement.

Engineering controls

What sits underneath. The plumbing your security team will ask about line by line.

TLS 1.3 in transit
Every request between your browser, our servers, and our database.
Encryption at rest
AES-256 on all stored drawings, RFQs, quotes, and supplier records.
Row level security
Postgres RLS enforces tenant isolation. Shop A cannot read shop B data.
Signed audit log
Every agent action signed and timestamped. Exportable for external auditors.
Least privilege credentials
Service accounts scoped to the minimum permissions needed.
Provider data isolation
AI inference disables training on customer data where the provider supports it.

Subprocessors

The third party services we use to run AgentsArmy. Each receives only the data needed to perform its function.

Provider	Purpose	Region
Supabase	Database and authentication	US
Vercel	Application hosting	US
Anthropic	Claude model inference	US
Resend	Transactional email	US
Stripe	Payments	US
Sentry	Error monitoring	US
PostHog	Product analytics	US
Cloudflare	DNS and email routing	Global

Data handling

What happens to a drawing.

01
Ingestion
Drawings arrive over TLS 1.3, stored encrypted at rest in a role restricted Supabase bucket.
02
Redaction
For ITAR ready accounts, controlled fields are redacted before any agent reads them.
03
Inference
Anthropic Claude reads only the minimum context required. Provider configured to disable training on our data.
04
Audit
Every read, every action, every output recorded with a signed timestamp. Exportable on demand.
05
Retention
Customer drawings stay in your account. Delete on request. Account deletion removes everything within 30 days.

Need a security questionnaire filled out?

Email the questionnaire and we will return it within 48 hours, signed.

Email security@agentsarmy.ai Read the privacy policy

Certifications and controls

SOC 2 Type II

In progress

Targeting Q3 2026 audit. Controls already in place: SSO, audit logs, rate limits, role based access, tenant cost controls.

ITAR ready handling

Available on request

Controlled documents stored in role restricted vaults. Field level redaction runs before any agent reads them. Every access logged.

AS9100 and NIST 800-171

Compliance flowdown automated

Certifications continuously verified at the supplier level. Auditor agent maintains an immutable record of every action.

US data residency

Always

All RFQ, drawing, and supplier data stored in US regions. No cross border movement.

Engineering controls

What sits underneath. The plumbing your security team will ask about line by line.

TLS 1.3 in transit

Every request between your browser, our servers, and our database.

Encryption at rest

AES-256 on all stored drawings, RFQs, quotes, and supplier records.

Row level security

Postgres RLS enforces tenant isolation. Shop A cannot read shop B data.

Signed audit log

Every agent action signed and timestamped. Exportable for external auditors.

Least privilege credentials

Service accounts scoped to the minimum permissions needed.

Provider data isolation

AI inference disables training on customer data where the provider supports it.

Subprocessors

The third party services we use to run AgentsArmy. Each receives only the data needed to perform its function.

Provider	Purpose	Region
Supabase	Database and authentication	US
Vercel	Application hosting	US
Anthropic	Claude model inference	US
Resend	Transactional email	US
Stripe	Payments	US
Sentry	Error monitoring	US
PostHog	Product analytics	US
Cloudflare	DNS and email routing	Global

What happens to a drawing.

Ingestion

Drawings arrive over TLS 1.3, stored encrypted at rest in a role restricted Supabase bucket.

Redaction

For ITAR ready accounts, controlled fields are redacted before any agent reads them.

Inference

Anthropic Claude reads only the minimum context required. Provider configured to disable training on our data.

Audit

Every read, every action, every output recorded with a signed timestamp. Exportable on demand.

Retention

Customer drawings stay in your account. Delete on request. Account deletion removes everything within 30 days.

Built for the certificationsyour auditors ask about.

Certifications and controls

Engineering controls

Subprocessors

What happens to a drawing.

Need a security questionnaire filled out?

Built for the certificationsyour auditors ask about.

Certifications and controls

Engineering controls

Subprocessors

What happens to a drawing.

Need a security questionnaire filled out?

Built for the certifications
your auditors ask about.

Built for the certifications
your auditors ask about.