security & trust

Built audit-ready
from day one.

Sentrely is the control plane for AI agents handling real customer data — payments, CRM contacts, code, email. We built it the way we'd want our own data handled.

Encryption

AES-256-GCM at rest, TLS 1.2+ in transit, per-workspace KMS keys

Tenant isolation

Row-level security + workspace_id scoping + RBAC, defense in depth

Audit logging

Every privileged action logged, 90d hot + 7yr S3 WORM archive

soc 2 program

SOC 2 Type 2 — in progress

Sentrely's SOC 2 Type 2 audit is underway, targeting completion in 2026. In the meantime, every technical control SOC 2 evaluates is already shipped — independent third-party attestation is the remaining step, not the controls themselves.

Customers under bilateral NDA can request our internal control documentation, including our written policies (ISP-001 through ISP-012), risk register, and subprocessor list. security@sentrely.com.

trust services criteria coverage

Security

Strong

Casbin RBAC enforced gateway-side · MFA on Pro+ plans · AWS-grade tenant isolation · OWASP security headers · audit logging on every privileged action · per-workspace KMS keys for sensitive data

Availability

Strong

Multi-AZ RDS deployments · automated daily/weekly/monthly backups · AWS Backup cross-region replication · alerting on every error class · capacity quotas per workspace

Confidentiality

Strong

TLS 1.2+ everywhere · AES-256 encryption at rest · per-workspace KMS Customer Master Keys · PII redaction chokepoint before storage · TLS termination at AWS ACM

Processing Integrity

Strong

Human-in-the-loop approval gates for sensitive actions · audit log records the exact request and response · Pydantic-validated inputs · workspace_id-scoped writes

Privacy

In progress

GDPR data export + erasure endpoints scheduled 2026 · per-workspace retention configurable · data minimization built in · subprocessor list public and quarterly reviewed

technical highlights

Tenant isolation — three independent locks

Every customer-data query is locked by (a) workspace_id filter in SQL, (b) PostgreSQL Row-Level Security as defense-in-depth, and (c) Casbin RBAC checked at the gateway middleware. Any one of these would block cross-workspace access on its own; all three together mean a code bug in one layer is caught by the others.

Per-workspace KMS Customer Master Keys

Sensitive workspace data is wrapped with a Customer Master Key dedicated to that workspace. KMS key policies require both an IAM role and an EncryptionContext (AAD) matching the workspace_id. A compromised IAM role cannot bulk-decrypt other tenants' data.

PII redaction chokepoint

Data flowing into audit logs, system logs, and lifecycle events passes through a pattern-matching redaction layer before disk write. Credit card numbers, SSNs, OAuth tokens, and known-format API keys are redacted at storage time — they never persist in plaintext.

Audit-by-default

Every privileged action — every API call, every approval grant, every workspace change — is logged with caller identity, timestamp, action, and outcome. Customer-visible in the dashboard; archived to S3 Object Lock for 7 years.

Approval gates for sensitive actions

High-impact actions (sending email, posting to Slack, modifying CRM data, executing code on customer infrastructure) can require human approval per workspace policy. Approvals are workspace-scoped, audited, and non-bypassable from the agent side.

Backups + DR

RDS Multi-AZ + point-in-time recovery (35-day window). Daily/weekly/monthly snapshots via AWS Backup. Cross-region replica in us-west-2 for primary databases. Audit-log archive in S3 with Object Lock (compliance mode) for 7 years.

subprocessors

Who Sentrely shares data with — and what they see

Sentrely uses a small number of third-party services to deliver the platform. Each one is risk-assessed, has a Data Processing Agreement on file (where applicable), and is reviewed quarterly.

See the full subprocessor list →
responsible disclosure

Found a security issue? Tell us.

We take security reports seriously. If you've found a vulnerability in Sentrely, please email us before publishing.

  • Email: security@sentrely.com
  • We'll acknowledge within 2 business days, triage within 5 business days.
  • We support coordinated disclosure timelines, hall-of-fame recognition with your consent, and no legal action for good-faith research.
questions?

Your security team is welcome to dig in.

We host security reviews under bilateral NDA. Send us your security questionnaire — we'll fill it in, send back our control documentation, and get on a call with your reviewer if it helps.

security@sentrely.com
newsletter

AI agent stories, every 2 weeks

Real-world lessons on running AI agents in production — RBAC patterns, audit gotchas, approval workflows. No spam.

Unsubscribe anytime · No spam, ever

// talk-to-us

Tell us what you're building

We reply within one business day.

Platforms / tools you're using or evaluating *

Or email us directly at jordan@sentrely.com

get early access

Get early access

Leave your details and we'll reach out to get you set up.

No spam. We'll only use this to set up your access.