Security

DataPlaneLabs builds agents and a runtime that run inside your own perimeter. Security is not a feature bolted on — it is how the runtime works. This page summarizes our posture and is honest about what is and is not yet in place.

Self-hosted on your infrastructure

The agents and runtime run on your own Kubernetes cluster. No vendor cloud, no shared tenancy. Your data never leaves your perimeter.

Zero-trust at tool invocation

Every tool call requires an explicit policy decision with verified identity. Nothing is trusted by default — an agent touches a system only after authorization.

Encrypted in transit and at rest

Traffic between components is encrypted in transit, and persisted state and audit data are encrypted at rest within your environment.

RBAC with least privilege

Role-based access control with least-privilege defaults. Agents and operators get only the scope they need, nothing more.

Full audit log per tool call

Every tool invocation is recorded — who, what, when, and the policy decision that allowed it — giving you a complete, reviewable trail.

Your data and logs stay yours

Models, data, prompts, and logs remain on your infrastructure. There is no egress to our systems and no vendor lock-in.

What we do not yet claim

Formal certifications (SOC 2, ISO 27001) are not yet in place. We will not display badges we have not earned. If you have specific compliance requirements, contact us — we are happy to walk through our controls and your needs.

Contact

Have a security or compliance question? Email hello@dataplanelabs.com.