Security & Compliance
We built Simple Agent with security as a first-class constraint — not an afterthought. This page documents our technical controls, compliance posture, and commitments to customers.
Compliance Status
We report our compliance status honestly. "In progress" means controls are being implemented — not that we have a certificate.
| Standard | Status | Notes |
|---|---|---|
| SOC 2 Type II | Preparing evidence | Controls mapped; external report not yet issued. |
| GDPR | Controls mapped | Data minimisation, SCC/DPA materials, DPO contact, and data-subject request flows are prepared. |
| LGPD (BR) | Controls mapped | PII scrubbing, Art. 18 request handling, DPO contact, and data-retention controls are prepared. |
| HIPAA | Not assessed | Not currently pursued. Available on roadmap if enterprise demand warrants. |
| PCI DSS | N/A | Cardholder data is handled by Stripe-hosted Checkout and Customer Portal. The service never stores full card numbers or CVC. |
| ISO 27001 | Not pursued | Not currently in roadmap. Security controls mapped to NIST CSF instead. |
Security Architecture
Encryption
- Data at rest: Neon AES-256 full-disk encryption
- Data in transit: TLS 1.3 enforced on all routes (Vercel edge)
- Secrets: env-var only — never committed to VCS
Authentication & Authorization
- Magic-link passwordless auth (no password storage)
- JWT session tokens (jose HS256) — 30-day expiry
- Tenant isolation enforced across workspace-scoped routes
- SAML 2.0 SP-initiated SSO (Agency+ tier) — Okta, Azure AD, OneLogin, JumpCloud
Infrastructure Security
- SSRF protection: IPv4 + IPv6 private range block + DNS anti-rebinding
- Rate-limiting: per-IP/per-tenant abuse protection with Redis support and Postgres fallback
- Webhook signature validation for active channels and Stripe billing
- Row-Level Security (RLS) at Postgres level — agent_id isolation
Operational Security
- Security review waves documented internally
- Critical and high-severity findings tracked through fix verification
- CI gates: a11y axe-core hard pass + build EXIT 0 required
- Dependency updates tracked; no known high CVEs in production bundle
Data Privacy
PII Scrubbing
Recursive scrubbing of CPF, CNPJ, email, and phone numbers before data reaches Langfuse, Sentry, or any external log pipeline.
Retention Controls
Default 90-day message retention. Configurable per workspace. Legal-hold mechanism available for enterprise.
LGPD Art. 18 Rights
Data export, deletion, and rectification available via Settings → Legal. Requests fulfilled within 15 days.
GDPR Rights
Same as LGPD rights. SCCs in place for cross-border transfers. DPO contact: dpo@simple-agent.me
No Training on Your Data
Your conversation data is never used to train our models or shared with model providers for training purposes.
Subprocessors
We use the following third-party services that may process personal data. All subprocessors are covered by DPAs or SCCs.
| Provider | Role | Location | Privacy Policy |
|---|---|---|---|
| Ollama Cloud | LLM inference via managed Ollama Cloud API | USA | Trust page ↗ |
| Vercel | Hosting, edge network, serverless functions | Global (edge) | Trust page ↗ |
| Neon | PostgreSQL database (SA-East-1 for BR clients) | BR (SA-East-1) | Trust page ↗ |
| Cohere | Text embeddings (embed-multilingual-v3) | USA / CA | Trust page ↗ |
| Resend | Transactional email delivery | USA | Trust page ↗ |
| Stripe | Subscription billing, hosted checkout, invoices, and customer portal | USA | Trust page ↗ |
| Sentry | Error monitoring (PII scrubbed before send) | USA | Trust page ↗ |
Vulnerability Disclosure
Reporting
Email security@simple-agent.me with a description of the vulnerability, reproduction steps, and impact assessment. We respond within 48 hours.
90-Day Disclosure
We follow a 90-day coordinated disclosure policy. After 90 days, we support public disclosure regardless of patch status, unless active exploitation is confirmed.
Scope
simple-agent.me and deployed subdomains. Widget embed code. API endpoints. Out of scope: denial-of-service attacks, social engineering, physical access.
Safe Harbour
Good-faith security research conducted within this policy will not be subject to legal action. We do not pursue researchers who act responsibly.
Incident Response
Breach Notification
Data breaches affecting personal data will be reported to affected customers within 72 hours of discovery, per GDPR Art. 33 and LGPD Art. 48.
Post-Mortem Commitment
Any security incident affecting customer data will result in a public post-mortem published within 30 days, regardless of severity.
Status Page
Public status page is planned for the custom-domain launch. Until then, incident notifications are handled by email for affected workspaces.
Need a custom security review?
Enterprise (Scale tier) customers can request a dedicated security questionnaire review, custom DPA negotiation, and architecture walkthrough.