Skip to main content
Trust & Security

Your infrastructure. Your control.

Corporate Agents deploys managed agent infrastructure directly into your cloud account. Your credentials stay in your secret manager, your infrastructure stays on your bill — with enterprise security architecture from day one.

Talk to an architect
Your Cloud, Your Rules

Your infrastructure. Your credentials. Our managed platform.

Every deployment runs inside your cloud account. You own the infrastructure and the credentials. Corporate Agents deploys and manages proprietary agent containers under an ongoing service agreement.

Your data. Full stop.

We operate on a strict separation between access and ownership. Our team accesses your environment only to deploy and manage workloads — your data never enters our infrastructure, our systems, or our models.

  • check_circleWe never train models on your data
  • check_circleWe never store your data on our infrastructure
  • check_circleWe never hold your API keys or service account credentials
  • check_circleWe never access production environments without explicit authorisation
  • check_circleWe never share your data with third parties
  • check_circleCustomer data is processed exclusively within your cloud account
  • check_circleData retention is controlled entirely by you — your policies, your schedules, your cloud
  • check_circleAll agent outputs and intellectual property remain yours
01
01

Client-Hosted Default

Containers deployed into your Cloud Run (GCP), ECS Fargate (AWS), or Azure Container Apps. You own the infrastructure and pay your cloud bill directly.

Your infrastructure, your bill.
02
02

Credential Ownership

You provision your own LLM endpoints — Vertex AI, Bedrock, or Azure OpenAI. We access them via IAM roles and service accounts, never shared keys.

Zero shared secrets.
03
03

Data Sovereignty

Always deployed in Australian regions for AU clients — australia-southeast1, ap-southeast-2, or Australia East. Non-AU deployments follow your requirements.

Data stays where you need it.
Technical Controls

Defence in depth. Infrastructure as code.

Every layer — from agent code through container packaging to cloud infrastructure — is secured, version-controlled, and auditable.

4-Layer Architecture

01

Runtime Governance (Agent Governance Toolkit)

— policy enforcement before every action

02

Agent Code (ADK / Foundry / Strands)

— what the agent does

03

Container Image (Docker)

— how it's packaged

04

Infrastructure (Terraform)

— where it runs

Terraform manages every resource from project setup through compute, IAM, secrets, networking, and monitoring. Your security team reviews every plan before anything is applied.

All traffic enforced over HTTPS with HSTS. Security headers applied on every response: X-Content-Type-Options, Content-Security-Policy, X-Frame-Options, Referrer-Policy, and Permissions-Policy. Defence in layers from the network edge inward.

AES-256 encryption at rest for all stored artefacts. TLS 1.2+ enforced in transit with no fallback to older protocols. Customer-managed encryption keys (CMEK) supported on GCP, AWS KMS, and Azure Key Vault — your keys, your control.

SSO and OIDC integration supported for all administrative interfaces. Role-based access control (RBAC) enforced throughout. Least-privilege IAM roles applied per agent workload. MFA enforced for all administrative access — no exceptions.

Agent workloads deployed inside your VPC using private endpoints. No public internet exposure for agent compute. Security groups and firewall rules managed entirely via Terraform — reviewed, version-controlled, and auditable before any change is applied.

All inputs validated server-side via Pydantic models before any processing occurs. SQLAlchemy parameterised queries throughout — no raw SQL concatenation. Request size limits enforced on every endpoint to prevent abuse.

Configurable rate limits per endpoint, tuned to your workload requirements. Exponential backoff on repeated failures and X-RateLimit headers included in all API responses so client applications can handle limits gracefully.

Amazon Bedrock Guardrails, Azure Content Safety, and Vertex AI safety settings applied at the model layer. Covers content filtering, PII redaction, and topic blocking — cloud-native controls that sit outside agent code.
Operational Resilience

When things go wrong. How we operate every day.

Incident Response Playbook

01

Detection

Automated alerting via Sentry, uptime monitors, and drift detection.

02

Triage

P1 incidents triaged and acknowledged as highest priority.

03

Containment

Affected agents isolated. No lateral movement between tenants.

04

Resolution

Root cause identified, fix deployed, post-incident report delivered.

05

Review

Lessons documented, prevention measures implemented before workload resumes.

All incidents communicated promptly. Post-incident reports delivered following resolution.

Security Operations

Background Checks

All team members verified before accessing any client project.

Access Reviews

Quarterly permissions review. Access revoked same-day on project completion.

Security Training

Annual security awareness training. Secure coding practices enforced.

Vulnerability Disclosure

Responsible disclosure programme. Report to security@corporateagents.com.au. All reports acknowledged and tracked through to resolution.

Infrastructure as Code

All infrastructure in Terraform. Every change version-controlled and peer-reviewed.

Dependency Management

Automated vulnerability scanning. Critical patches prioritised and deployed promptly.

AI Agent Security

Purpose-built safeguards for autonomous agents.

AI agents introduce risks that traditional application security doesn't cover — prompt injection, hallucination, uncontrolled tool use, and PII leakage. Every agent we deploy includes purpose-built safeguards addressing all 10 OWASP Agentic AI risk categories, enforced at runtime before any action executes.

All user inputs are sanitised before reaching the model. System prompts and user prompts are strictly separated — user input never overwrites agent instructions. Platform-native content filtering (Bedrock Guardrails, Azure Content Safety, Vertex AI safety settings) applied at the model layer to catch injection attempts before they execute.

Agents retrieve context exclusively from trusted, client-approved data sources via RAG. No open web retrieval unless explicitly configured and approved by your team. All retrieved sources are cited in agent responses so users can verify the information chain and trace every answer back to its origin.

Cloud-native PII detection and masking applied via Amazon Bedrock Guardrails, Azure Content Safety, and Vertex AI safety settings. Configurable per deployment — you define what constitutes sensitive data and how it should be handled. PII never leaves your cloud account and redaction policies are enforced at the platform layer, outside agent code.

Cloud-native guardrails enforce content policies at the model layer — not in application code. Custom topic restrictions configured per client to prevent agents from engaging with out-of-scope subjects. Filters cover harmful content, off-topic responses, and domain-specific restrictions defined during onboarding.

Configurable approval gates for high-impact decisions — no autonomous actions on sensitive operations without human sign-off. Escalation triggers route edge cases to designated reviewers. Approval workflows are defined per agent during onboarding and enforced at the orchestration layer, ensuring humans stay in control of consequential decisions.

Agents are built with automatic provider failover for service continuity — if one model provider experiences downtime, the agent switches to an equivalent provider seamlessly. Task-specific model selection ensures the right model handles the right job. No single-vendor lock-in: your agents work across Vertex AI, Amazon Bedrock, and Azure OpenAI.

Every agent action passes through a deterministic policy engine before execution. Policies are defined in YAML and evaluated in under 0.1 milliseconds with zero exceptions. Execution rings inspired by CPU privilege levels isolate agent capabilities — core orchestration, tool calls, and user-facing output each run at different trust levels with independent resource limits. Emergency kill switches terminate agents immediately when policy boundaries are breached. Built on the open-source Agent Governance Toolkit, covering all 10 OWASP Agentic AI risk categories with automated evidence collection for SOC 2 and ISO 27001 compliance.

Security questions? Let's talk architecture.

Walk through our deployment model, security controls, and compliance posture with a solutions architect.

Schedule ConsultationAbout Our Approach