Security Security your team gets out of the box. Scanners on every publish. Role-based access on every plan. A complete audit trail your security team can actually use. Every plan Four protections you don't have to ask for. These are not premium add-ons. Every AgentBundle account — Free included — ships with them by default, so the riskiest parts of running agents inside an org are covered before anyone has to think about them. Secret scanner Catches API keys, tokens, and credentials accidentally pasted into agent prompts or configs. Runs on every publish; if it trips, the publish is blocked before it can reach a teammate's runtime. Prompt-injection scanner Catches jailbreak and override patterns hidden in agent prompts before downstream agents run them. Same publish-time gate as the secret scanner. Role-based access Owner, Admin, and Member roles per organization, enforced server-side — not just hidden in the UI. Your members only see and edit what their role permits. Activity log Every publish, install, edit, and role change is recorded with the actor and timestamp. The basic log ships on every plan; full retention and export are available on Business and above. Business and above Governance for teams that need a paper trail. When your security or compliance team needs more than the always-on baseline, the Business tier adds controls you can hand to them with confidence. Approval workflow Configure N-required reviewers on agent publishes. Publishes hold until the configured reviewers sign off. Every approval and rejection lands in the audit log with the reviewer's identity and timestamp. Full audit log + export Complete activity history with before/after diffs on every change. Export to CSV from the dashboard, or pull via the audit-export API for ingestion into your SIEM or warehouse. Department-level admins Delegate admin permissions to a specific department. The Sales department admin manages Sales agents; the Engineering department admin manages Engineering agents. Org owners retain final control. Custom APM policy Encode your organization's rules — dependency allowlists, banned MCPs, allowed runtimes, required manifest fields — as policy that applies to every publish, every team. Detailed below. APM policy Lock down what your agents can do. APM (Microsoft's open packaging spec for agents) gives every package a manifest. Define an apm-policy.yml once. Every published agent in your org — across every team and every runtime — must comply. Enforced at publish, before a teammate can install anything that violates it. Dependencies Lock down which APM packages your agents can depend on. Allowlist — glob patterns like {"org/**"} or community/safe-tools. Empty means open. Denylist — blocked even if allowed by a pattern above (e.g. {"evil/**"}). Required — packages every agent must include (e.g. org/baseline). Cap — 1–10 dependencies per agent, or no cap. MCP servers Restrict which MCPs agents can require — and which transports are allowed. Allowlist — registry refs or globs (e.g. github, linear). Empty means open. Denylist — specific MCPs blocked (e.g. web-search). Transports — pick from stdio, http, sse. Transitive — MCPs pulled in indirectly must also pass the allowlist. Compilation targets Choose which apm pack --target outputs are allowed. Claude Code Cursor GitHub Copilot OpenCode Gemini CLI OpenAI Codex Windsurf Anything not selected is rejected at publish. Manifest Control what every apm.yml must declare and which scripts can run. Required fields — every apm.yml must include them (e.g. description, license). Allowed scripts — whitelist named scripts (e.g. build). Empty means no scripts allowed at all. APM policy enforcement is available on Business and above. Policies are versioned and audited just like agents — every change shows up in the audit log with the actor, timestamp, and the prior policy text. Version lifecycle Take a bad version back. Every publish is an immutable version. When something ships and you need to walk it back, the platform has three escape hatches. Revert Roll the canonical "live" pointer back to any prior version with one action. The bad version stays in history; the rolled-back version is what new installs pick up. Useful when you ship a regression and need to restore the last-known-good immediately. Deprecate Mark a version as deprecated. New installs of that version still succeed but ship with a warning header so consumers know to migrate. Existing consumers can keep running it while they upgrade. Useful for sunsetting old behavior gracefully. Recall Mark a version as recalled. New installs are blocked outright (HTTP 410 Gone). Use when a version contains a serious bug, a leaked secret, or a policy violation — anything that needs to stop spreading immediately. The audit log captures who recalled it and why. All three are governed by the same role-based access and approval rules as publishing. The audit log records every status change with the actor, timestamp, and reason. Your data exposure What lives in AgentBundle, and what doesn't. Knowing the data surface is the first thing your security review will ask about. Here's the short answer. What's stored Agent definitions (prompts, skills, MCPs, guardrails) Member metadata (work email, name, role) Billing details Audit events What's not Conversation transcripts from your runtimes (Claude, Cursor, etc.) Agent inputs or outputs at runtime Anything we'd need to train a model on — we don't operate one Where it lives Managed PostgreSQL operated by Neon, hosted in the United States. Encryption at rest is provided by the database; data in transit is TLS-protected. The full sub-processor list is in our privacy policy. How it leaves Account deletion is soft-delete first: the org is hidden from the UI immediately and queued for hard-delete after the retention window. Owners can restore during the window. Once hard-delete runs, the data is unrecoverable. Compliance What your auditors can rely on. If your team needs an attestation or a specific regulatory answer, here's where AgentBundle stands today and where it's heading. Attestations Framework Status Notes SOC 2 Type II Planned Pursued in line with enterprise customer demand. ISO 27001 Planned Pursued in line with enterprise customer demand. Regulations Regulation What you can expect GDPR Minimal personal data is collected and never transferred outside our processors. Org-wide data export and account deletion are available through the in-product danger-zone tools. A data processing addendum is available on request. CCPA / CPRA Data export and account deletion are supported for any organization that requests it. Personal information is not sold; the in-product opt-out is therefore unnecessary but always honored if requested. HIPAA Business Associate Agreements are not currently signed; AgentBundle is not intended for storing protected health information. Reach out if your organization needs this.