Agents Makers
Start Deployment

Security

How we handle the data your agent touches.

Agents Makers is built for mid-market finance, legal, and operations teams, the people who sign off on a deployment before the engineers do. Security and governance are in the product from day one, not a compliance afterthought.

Draft. pending legal review. The text on this page is a starter version and is subject to change before launch. Contact ngarzotto@interactive.ai for the contractual terms in effect today.

Data-handling defaults

  • EU-region hosting by default (Supabase, PostHog, InteractiveAI runtime).
  • TLS 1.2+ in transit. Database-at-rest encryption via cloud-provider default.
  • Row-level security on all catalog tables; least-privilege access control.
  • Agent actions logged with timestamp, decision rationale, and version of the policy that produced the action.
  • Retention windows configurable per engagement; default is 24 months for operational logs, deletion on request where contractually permitted.

Where your data lives

  • Website + catalog: Vercel edge (EU routing) + Supabase (EU-West-1).
  • Analytics: PostHog (EU region, Frankfurt).
  • Agent runtime: InteractiveAI, EU-region by default; US or in-region hosting available on contract.
  • Email delivery: Resend (EU routing available).
  • Error monitoring: Sentry (region selected per project).

Governance controls on deployed agents

  • Scope boundaries: every capability has an explicit list of integrations, data sources, and allowed actions. Nothing happens outside the configured scope.
  • Escalation rules: policy-sensitive cases, VIP senders, and out-of-scope requests route to a human owner with context attached.
  • Evaluator tests: every capability ships with a regression test suite run on every policy update.
  • Versioned changelog: prompt, policy, and tool changes are versioned. You can answer "what did the agent know when it did that?" months after the fact.
  • Monthly business review: included with every operating retainer, covers incidents, drift, and roadmap.

Certifications + compliance posture

  • GDPR: processor-side DPA available on request.
  • SOC 2. InteractiveAI runtime operates under SOC 2 Type II controls; Agents Makers' own SOC 2 readiness program is in progress for 2026.
  • EU AI Act: each role is classified at the capability level (minimal / limited / high risk). Classification is part of the scoping artifact and is reviewed when the role's scope changes.
  • ISO 27001: target certification window under evaluation.

Reporting a security issue

If you believe you've found a security vulnerability, email ngarzotto@interactive.ai with a description and reproduction steps. We acknowledge all reports within two business days.

Related reading: Infrastructure · Privacy