Trust & security
Security is the product.
An orchestration layer holds your workflows, your run state, and your credentials. We treat all three as the reason customers can or cannot deploy agents at all.
Compliance
Certifications and frameworks
Status is stated plainly — what is audited, what is aligned, and what is still roadmap.
SOC 2 Type II
SOC 2 Type II is on our roadmap; the audit has not yet started. The underlying controls — access reviews, change management, incident response — are built into the product today, ahead of a formal engagement.
GDPR
Data minimization by design: run state holds what your workflows put in it, retention windows are enforced per plan, and deletion requests cascade through checkpoints and traces.
CCPA
Workspace data is never sold or shared for advertising. Export and deletion are available for every data category we store.
HIPAA
BAA support is planned alongside the self-hosted enterprise tier, where run state never leaves your infrastructure.
Practices
How we protect your data
Encryption in transit
All traffic between the console, the API, and LLM providers is TLS 1.3. Plaintext HTTP is never accepted outside local development.
Encryption at rest
Stored secrets — custom-tool credentials and webhook signing keys — are encrypted at the application layer. Database and backup volumes add disk-level encryption on every major cloud; self-hosters control their own disks.
Workspace isolation
Every workflow, run, checkpoint, and audit row is scoped to a workspace. Cross-workspace access is structurally impossible, not policy-enforced.
Credential handling
Ballast is bring-your-own-key: each workspace supplies its own LLM provider keys, which — like custom-tool auth headers and webhook signing secrets — are encrypted at rest (Fernet), write-only via the API, and injected only at call time. None are written to logs, traces, or checkpoints.
Complete audit trail
Every mutation — create, update, run, approval, rejection — is recorded with actor and timestamp, and retained for your plan's window.
Human approval gates
Sensitive actions can be gated on a human decision. Gates pause execution durably; decisions and reviewer input are part of the permanent record.
Runtime governance
Policy enforced where the work happens
Governance & policy events
Every execution-time policy decision — a tool denied, PII redacted, a model or fallback blocked, a budget stopped, an override granted — is emitted as a first-class, inspectable event carrying the workflow, run, node, policy, decision, and reason. Evidence is redacted to counts, ids, and model names — never the scrubbed plaintext or a secret. It is a policy-decision plane, separate from the tamper-evident audit log.
DLP redaction before prompts leave the box
Governance scrubs sensitive data from prompts before they reach a provider. Alongside custom regexes, a built-in catalog of named PII types — email, phone, credit card, SSN, IP address, and API key — is redacted automatically. Each run that redacts something records an event carrying a count only, never the value.
Signed, replay-proof webhooks
Inbound webhook triggers can require an HMAC-SHA256 signature over a timestamped body and reject any request outside a replay window — so a captured delivery cannot be re-sent later. Duplicate deliveries of the same event collapse to the original run rather than creating a new one.
Per-argument tool policy
Custom tools can be restricted not just to specific workflows but to specific argument values. A call passing a blocked value is refused at run time and recorded as a governance event — enforced in the executor, so editing the workflow JSON cannot route around it.
Governed model fallback
Agent nodes can fail over to backup models on transient errors, but every fallback candidate is vetted against your model and provider allowlist first. A run never silently fails over to a disallowed provider, and a blocked fallback is recorded as a governance event.
Data handling
What we store, where, and for how long
| Data type | Where stored | Retention | Encryption |
|---|---|---|---|
| Workflow definitions | Primary database | Life of the workspace | Workspace-scoped |
| Run state & checkpoints | Primary database | 7–90 days by plan | Workspace-scoped |
| Step traces & costs | Primary database | 7–90 days by plan | Workspace-scoped |
| Audit logs | Primary database | 30 days – 1 year by plan | Append-only |
| Tool credentials & webhook secrets | Primary database | Until deleted | Encrypted (Fernet) |
| LLM provider keys (your own) | Primary database | Until deleted | Encrypted (Fernet) |
Subprocessors
Third parties that process data
Model calls go only to the providers your workflows select. No other party sees run content.
| Subprocessor | Purpose | Region |
|---|---|---|
| Anthropic | Model inference for Claude agent nodes | United States |
| OpenAI | Model inference for GPT agent nodes | United States |
| Vercel | Console and site hosting | United States / EU |
| Neon | Managed Postgres | United States / EU |
| Resend | Transactional email delivery | United States |
Disclosure
Responsible disclosure
Report vulnerabilities to security@ballastos.com. We acknowledge within 48 hours, keep you informed through remediation, and follow a 90-day coordinated disclosure window. Good-faith research under this policy will not result in legal action.
Request our security review packet