Security & trust

Security is the product.

Seam exists because agent decisions need to be auditable, identifiable, and reversible. The same posture applies to how we run the company. This page is what we can commit to today, and what we're building toward.

Our principles

Five things that don't get traded away.

01 / IDENTITY

Every actor is identified

Humans, services, and agents authenticate against AITP-issued identities. No anonymous calls into the control plane, ever.

02 / LEAST PRIVILEGE

Agents see only what they need

Context is scoped per session. Tool access is policy-gated. Broad credentials never sit inside agent prompts.

03 / AUDITABILITY

Every decision is replayable

Sessions are append-only and reconstructable months later — including the prompts, tool calls, and policy evaluations behind each action.

04 / DATA BOUNDARIES

Customer data stays in customer tenancy

Seam runs adjacent to your data, not in front of it. Sensitive payloads are referenced, not stored, in the control plane.

05 / DISCLOSURE

We tell you when we change things

Material changes to data handling, sub-processors, or security posture come with notice — not a footer update.

06 / KILL SWITCH

Every action is reversible at the boundary

Operators can pause, scope, or revoke any agent class instantly from the control plane. We design for that path being the easy one.

Our posture

Where we are in the trust journey.

Here's the honest snapshot — what's in place today, what's underway, and what's on the roadmap. Design partners get full security-review packets.

In place today

Encryption everywhereTLS 1.3 in transit. AES-256 at rest. Per-tenant key isolation for sensitive context.

In place today

SSO & access controlOperator console enforces SSO, MFA, and role-based access from day one. No shared credentials.

In progress

SOC 2 Type IInitial audit scoping in motion. Type II planned within twelve months of GA.

In progress

Penetration testing programThird-party engagement scoped for the control plane and SDKs ahead of GA.

On roadmap

HIPAA & regional residencyHealthcare BAA support and EU-resident deployments tracked for our healthcare design partners.

Reporting

Found something? Tell us.

Responsible disclosure

Email security@zer07labs.com with a description, reproduction steps, and any artefacts. We'll acknowledge within two business days, keep you updated through triage, and credit you in our disclosure log if you'd like to be named.

security@zer07labs.com →

Customer security review

Design partners and prospective customers can request a full security-review packet — architecture, data flows, sub-processors, posture, and roadmap. We'll send it under NDA.

Request the packet →