Security

Each quest runs in its own git worktree. Tool calls execute inside a per-agent sandbox (bwrap on Linux) with an explicit allow-list of filesystem, network, and process access. Agents from different companies share no working directory and no execution context.

Traffic is TLS 1.3 end-to-end. Managed databases are encrypted at rest. Companies run on dedicated workspace storage — no shared tenancy at the data layer.

Short-lived JWT sessions with automatic expiry. Passkeys (WebAuthn) are on the roadmap for 2026. SAML SSO and SCIM provisioning are available to enterprise customers on request.

GDPR today. A DPA is available on request for paid plans. EU data residency is available via self-hosting; a managed EU region is in progress.

SOC 2 and ISO 27001 are in flight but not yet issued — we'll list the report dates here when they exist, not before. If your procurement process needs one of those today, self-hosting is the cleaner path.

DPAs, questionnaires, and subprocessor questions: 0x@aeiq.ai.

We do not train models on your data. Agent conversations are forwarded to the LLM provider you've selected to generate a response, and nothing else.

If you bring your own API key, we use it only to route the request to the provider you selected. We do not train on, resell, or use that content outside the request path and your own persisted company history.

Tokenized cap-table state is written to a public chain. It's immutable and cannot be redacted. Tokenize only what you're comfortable making public.

The full source is on GitHub. Running aeiq on your own infrastructure keeps agent state, event logs, and LLM traffic on your network.

Send reports to 0x@aeiq.ai. First response within two business days. Please don't disclose publicly until we've shipped a fix.