Trust & security

Security is the product.

An orchestration layer holds your workflows, your run state, and your credentials. We treat all three as the reason customers can or cannot deploy agents at all.

Compliance

Certifications and frameworks

Status is stated plainly — what is audited, what is aligned, and what is still roadmap.

SOC 2 Type II

Planned

SOC 2 Type II is on our roadmap; the audit has not yet started. The underlying controls — access reviews, change management, incident response — are built into the product today, ahead of a formal engagement.

GDPR

Aligned

Data minimization by design: run state holds what your workflows put in it, retention windows are enforced per plan, and deletion requests cascade through checkpoints and traces.

CCPA

Aligned

Workspace data is never sold or shared for advertising. Export and deletion are available for every data category we store.

HIPAA

Roadmap

BAA support is planned alongside the self-hosted enterprise tier, where run state never leaves your infrastructure.

Practices

How we protect your data

Encryption in transit

All traffic between the console, the API, and LLM providers is TLS 1.3. Plaintext HTTP is never accepted outside local development.

Encryption at rest

Stored secrets — custom-tool credentials and webhook signing keys — are encrypted at the application layer. Database and backup volumes add disk-level encryption on every major cloud; self-hosters control their own disks.

Workspace isolation

Every workflow, run, checkpoint, and audit row is scoped to a workspace. Cross-workspace access is structurally impossible, not policy-enforced.

Credential handling

Ballast is bring-your-own-key: each workspace supplies its own LLM provider keys, which — like custom-tool auth headers and webhook signing secrets — are encrypted at rest (Fernet), write-only via the API, and injected only at call time. None are written to logs, traces, or checkpoints.

Complete audit trail

Every mutation — create, update, run, approval, rejection — is recorded with actor and timestamp, and retained for your plan's window.

Human approval gates

Sensitive actions can be gated on a human decision. Gates pause execution durably; decisions and reviewer input are part of the permanent record.

Runtime governance

Policy enforced where the work happens

Governance & policy events

Every execution-time policy decision — a tool denied, PII redacted, a model or fallback blocked, a budget stopped, an override granted — is emitted as a first-class, inspectable event carrying the workflow, run, node, policy, decision, and reason. Evidence is redacted to counts, ids, and model names — never the scrubbed plaintext or a secret. It is a policy-decision plane, separate from the tamper-evident audit log.

DLP redaction before prompts leave the box

Governance scrubs sensitive data from prompts before they reach a provider. Alongside custom regexes, a built-in catalog of named PII types — email, phone, credit card, SSN, IP address, and API key — is redacted automatically. Each run that redacts something records an event carrying a count only, never the value.

Signed, replay-proof webhooks

Inbound webhook triggers can require an HMAC-SHA256 signature over a timestamped body and reject any request outside a replay window — so a captured delivery cannot be re-sent later. Duplicate deliveries of the same event collapse to the original run rather than creating a new one.

Per-argument tool policy

Custom tools can be restricted not just to specific workflows but to specific argument values. A call passing a blocked value is refused at run time and recorded as a governance event — enforced in the executor, so editing the workflow JSON cannot route around it.

Governed model fallback

Agent nodes can fail over to backup models on transient errors, but every fallback candidate is vetted against your model and provider allowlist first. A run never silently fails over to a disallowed provider, and a blocked fallback is recorded as a governance event.

Data handling

What we store, where, and for how long

Data typeWhere storedRetentionEncryption
Workflow definitionsPrimary databaseLife of the workspaceWorkspace-scoped
Run state & checkpointsPrimary database7–90 days by planWorkspace-scoped
Step traces & costsPrimary database7–90 days by planWorkspace-scoped
Audit logsPrimary database30 days – 1 year by planAppend-only
Tool credentials & webhook secretsPrimary databaseUntil deletedEncrypted (Fernet)
LLM provider keys (your own)Primary databaseUntil deletedEncrypted (Fernet)

Subprocessors

Third parties that process data

Model calls go only to the providers your workflows select. No other party sees run content.

SubprocessorPurposeRegion
AnthropicModel inference for Claude agent nodesUnited States
OpenAIModel inference for GPT agent nodesUnited States
VercelConsole and site hostingUnited States / EU
NeonManaged PostgresUnited States / EU
ResendTransactional email deliveryUnited States

Disclosure

Responsible disclosure

Report vulnerabilities to security@ballastos.com. We acknowledge within 48 hours, keep you informed through remediation, and follow a 90-day coordinated disclosure window. Good-faith research under this policy will not result in legal action.

Request our security review packet