Security & Trust

How we protect your data and your agents. Last updated: June 2026.

Veragent is an EU-native AI agent governance platform, built security- and privacy-first from the ground up. This page describes the measures we use to protect your data and the agents you connect. We describe what we actually do — we don't claim certifications we don't yet hold.

Data residency & hosting

  • EU-onlyYour data is stored in the European Union — our database runs in Frankfurt (eu-central-1), and the application is served from EU edge regions (Frankfurt, London, Amsterdam).
  • GDPR-firstVeragent is operated by Veragent B.V., registered in the Netherlands, and built to comply with the GDPR and the Dutch Implementation Act.

Authentication & access control

  • Two-factor authenticationTOTP-based 2FA, enforced for administrators.
  • Encrypted sessionsSessions are held in encrypted, HttpOnly cookies — never in browser storage.
  • Step-up elevationSensitive actions — deleting or rotating API keys, billing changes, granting roles — require a fresh 2FA challenge, even within an active session.
  • Single sign-onMicrosoft Entra ID (OAuth) and SAML 2.0.
  • Anomaly detectionNew-device and unusual sign-in detection, with role-based access and least-privilege defaults.

Data protection

  • Hashed credentialsAPI keys are never stored in plaintext — only as SHA-256 hashes. A key is shown once at creation and cannot be retrieved afterward.
  • Signed webhooksOutbound webhook payloads are HMAC-signed and timestamped, so you can verify they came from Veragent and reject replays.
  • Encryption in transitAll traffic is encrypted over TLS, with HSTS enforced.
  • Tenant isolationSeparation between organisations is enforced at the database layer with row-level security — one organisation can never read another's data.
  • No AI subprocessorsYour data is never sent to any LLM or external AI service. Veragent's processing is conventional software — there is no AI vendor in your data's path, and our GDPR data export discloses the full subprocessor list.

Application & infrastructure security

  • Deny-by-default authorizationEvery API endpoint requires an authenticated, 2FA-verified session unless explicitly public, and re-checks authorization server-side on every request.
  • SSRF protectionCustomer-supplied webhook URLs are validated against private and internal address ranges.
  • Rate limitingDistributed rate limiting protects authentication and ingestion endpoints from abuse.
  • Hardened headersA Content Security Policy and a full set of security response headers are applied across the application.
  • Dependency hygieneWe track and promptly patch known vulnerabilities in our dependencies.

Privacy & your rights

  • GDPR rights, self-serviceRequest a copy of your data (Article 15) or its erasure (Article 17) directly from your account.
  • Data minimizationWe collect only what's needed to run the platform — see our Privacy Policy for details.
  • Data Processing AgreementA DPA is available to customers on request.
  • Audit trailsEvery action within your organisation is recorded in a complete audit log.

Compliance & evidence

Veragent produces an auditor-ready evidence pack — a date-ranged record of the policy-enforcement decisions and human-oversight actions taken across your organisation. It's designed to support EU AI Act readiness by demonstrating meaningful oversight and control over the autonomous agents you run.

Responsible disclosure

We welcome reports from security researchers. If you believe you've found a vulnerability, please email security@veragent.io. We'll acknowledge your report, work with you to validate and resolve the issue, and ask that you give us reasonable time to do so before any public disclosure.