function Security({ go }) { return (
{/* HERO */}

Your data never trains an AI model. Not ours. Not anyone's.

AGOS runs on zero-retention inference, a tightly-scoped cloud stack, and compliance-as-code. Here's exactly what happens to every byte your brand sends us — and what doesn't.

{/* 4 TRUST PILLARS */}
{[ { ic:"brain", t:"Zero model training", d:"Anthropic zero-retention is enabled on every workspace. Your drafts, briefs, product data, and customer records pass through inference and are discarded — never logged, never used to train foundation models.", }, { ic:"lock", t:"Encrypted in transit & at rest", d:"TLS 1.3 on every hop. AES-256 on the database. Column-level encryption on customer PII. Keys rotated quarterly via Supabase Vault.", }, { ic:"shield", t:"Compliance as code", d:"TGA, ACCC, FDA, and cosmetic-claim rule packs are versioned, tested, and deployed like software. Every flag carries a rule ID, jurisdiction, and citation you can audit.", }, { ic:"globe", t:"Data residency", d:"Today: AWS Sydney (ap-southeast-2) for Australian workspaces, US-East for US. EU residency shipping alongside GDPR certification in Q4 2026.", }, ].map((p,i)=>(

{p.t}

{p.d}

 ))}
{/* DATA FLOW DIAGRAM */}

Here's what happens when you press Generate.

Every inference request takes this path. Every step is auditable. Nothing persists where it shouldn't.

{[ {n:"01",t:"Your browser",d:"Draft + brief leave your session over TLS 1.3",sub:"CLIENT · BROWSER",c:"var(--accent)"}, {n:"02",t:"AGOS edge",d:"Vercel edge function in Sydney · auth + rate limit",sub:"VERCEL · SYD-1",c:"var(--accent)"}, {n:"03",t:"Compliance pre-scan",d:"Rule packs run on the brief before it touches an LLM",sub:"WORKER · ISOLATED",c:"var(--ok)"}, {n:"04",t:"Inference",d:"Anthropic API · zero-retention · PII redacted",sub:"ANTHROPIC · ZR",c:"var(--warn)"}, {n:"05",t:"Compliance post-scan",d:"Rule packs run on the draft · flags attached",sub:"WORKER · ISOLATED",c:"var(--ok)"}, {n:"06",t:"Supabase",d:"Draft persisted · AES-256 · RLS · project-scoped",sub:"SUPABASE · SYD",c:"var(--accent)"}, ].map((s,i,arr)=>(
{s.n}
{s.t}
{s.d}
{s.sub}
{i
}
))}
NOTHING WRITTEN TO DISK AT STEP 04 · FULL REQUEST HASH AUDITED · 7-YEAR LOG
{/* STACK */}

The stack, named.

We don't hide our vendors — you should know who you're trusting by transitive property. Every provider here is SOC 2 Type II and GDPR-compliant today.

{[ {n:"Anthropic",role:"LLM inference",cert:"SOC 2 · HIPAA · ZR",k:"All generative work. Zero-retention contract. No training on customer prompts."}, {n:"Vercel",role:"Edge + app hosting",cert:"SOC 2 Type II · ISO 27001",k:"Sydney + Virginia regions. Network isolation per workspace."}, {n:"Supabase",role:"Postgres + auth + storage",cert:"SOC 2 Type II · HIPAA BAA",k:"Row-level security on every table. Column-level encryption on PII."}, {n:"Cloudflare",role:"WAF + DDoS + DNS",cert:"SOC 2 Type II · ISO 27001",k:"Rate limiting, bot detection, and TLS termination."}, {n:"Shopify",role:"Commerce data source",cert:"PCI DSS Level 1",k:"OAuth-scoped. Read by default. Write scopes are per-workspace opt-in."}, {n:"Sentry",role:"Error tracking",cert:"SOC 2 Type II",k:"PII scrubbing on. No request bodies captured. 90-day retention."}, ].map((v,i)=>(
{v.n[0]}
{v.n} · {v.role} {v.cert}

{v.k}

))}
{/* CERTS */}

Certifications — what's live, what's planned.

We're pre-enterprise. Here's the honest roadmap — not vague asterisks, not "coming soon" without dates.

{[ {n:"Zero-retention inference",s:"Live",date:"Since Apr 2026",k:"live"}, {n:"TLS 1.3 · AES-256",s:"Live",date:"Since launch",k:"live"}, {n:"APAC data residency",s:"Live",date:"AWS Sydney",k:"live"}, {n:"US data residency",s:"Live",date:"AWS Virginia",k:"live"}, {n:"SOC 2 Type I",s:"In audit",date:"Report Q2 2026",k:"progress"}, {n:"SOC 2 Type II",s:"Planned",date:"Q3 2026",k:"planned"}, {n:"GDPR certification",s:"Planned",date:"Q4 2026 + EU residency",k:"planned"}, {n:"ISO 27001",s:"Planned",date:"2027",k:"planned"}, {n:"HIPAA BAA",s:"On request",date:"Enterprise tier",k:"planned"}, ].map((c,i)=>(
{c.k==="live"?"● LIVE":c.k==="progress"?"◐ IN AUDIT":"○ PLANNED"} {c.date}
{c.n}
))}
{/* DATA RIGHTS */}

Your data, your rules.

You own every byte. We're custodians, not owners. Here's what that means in practice.

{[ {t:"Export anytime",d:"One click in Settings → Data. Full JSON + Markdown export of every draft, approval, and audit entry. Delivered within 24 hours, usually minutes."}, {t:"Delete anytime",d:"Workspace deletion triggers 30-day soft delete, then cryptographic shredding of all tenant data, including derived vector embeddings and brand-voice profiles."}, {t:"No secondary use",d:"We don't sell, share, or benchmark against your data. Aggregate product analytics use workspace-level counts only, never content."}, {t:"Sub-processor list",d:"Published and versioned. Customers with data-processing agreements are notified 30 days before any new sub-processor is added."}, ].map((r,i)=>(
{r.t}

{r.d}

))}
{/* CONTACT */}

Questions? Security reviews? Report a vuln?

We run a private bug-bounty program and respond to responsible disclosures within one business day.

security@agos.app PGP key Sub-processor list
); } Object.assign(window, { Security });