Security

Each quest runs in its own git worktree. Tool calls execute inside a per-agent sandbox (bwrap on Linux) with an explicit allow-list of filesystem, network, and process access. Agents from different Companies share no working directory and no execution context.

Traffic is TLS 1.3 end-to-end. Managed databases are encrypted at rest. Companies run on dedicated workspace storage — no shared tenancy at the data layer.

Short-lived JWT sessions with automatic expiry. Passkeys (WebAuthn) are on the roadmap for 2026. SAML SSO and SCIM provisioning are available to enterprise customers on request.

GDPR today. A DPA is available on request for paid plans. EU data residency and private deployment are available for teams with stricter requirements.

SOC 2 and ISO 27001 are in flight but not yet issued — we'll list the report dates here when they exist, not before. If your procurement process needs one of those today, contact us so we can scope the right deployment path.

DPAs, questionnaires, and subprocessor questions: luca@aeqi.ai.

We do not train models on your data. Agent conversations are forwarded to the LLM provider you've selected to generate a response, and nothing else.

If you bring your own API key, we use it only to route the request to the provider you selected. We do not train on, resell, or use that content outside the request path and your own persisted Company history.

Tokenized cap-table state is written to a public chain. It's immutable and cannot be redacted. Tokenize only what you're comfortable making public.

Hosted early access is the default path. Private deployments can keep agent state, event logs, and LLM traffic inside infrastructure approved for your Company.

Send reports to luca@aeqi.ai. First response within two business days. Please don't disclose publicly until we've shipped a fix.