Security

Your AI agents.
Under your control.

Kommit gives security and engineering teams the visibility, access controls, and audit infrastructure to deploy AI agents without losing sleep. Every section below is marked live today or design-partner roadmap so you know what's reproducible right now.

Book a demo →Trust Center

01 · Observability

Every privileged admin action logged — automatically.

Hash-chained admin audit trail for every privileged admin action in the platform. Exportable as JSON or CSV for procurement. Cron sweeps verify the chain still verifies.

Live

02 · Control

Humans in the loop when it matters.

Approval gates for sensitive actions are in design-partner pilots — deploy promotions, send-email tools, payment writes. Today: org-level admin approvals on workspace mutations.

Roadmap

03 · Containment

Permissions scoped to the workflow, not the org.

Per-workflow RBAC + SSO + separation-of-duties is on the design-partner roadmap. Today: Better Auth org-level roles + connection-level Postgres RLS enforcing the tenant boundary.

Roadmap

Audit trailLIVE TODAY

A complete, immutable record of every privileged admin action in your workspace.

Every privileged event is signed with an HMAC linked to the previous one. If anything is tampered with, the chain breaks — and the cron sweep flags it. Export as JSON or CSV for your auditors. Per-tool-call granularity (agent runtime events) is the design-partner roadmap.

Live· audit stream · workspace: kommit-internal↓ export

14:22:07.341kyc-agent retrieved document from sharepoint/contracts/acme-corp.pdftool_calla3f9c1…d4e8

14:22:07.892kyc-agent called anthropic/claude-sonnet-4-6 · 2,841 tokens in · 312 outmodel_callb8d2e4…1a7f

14:22:09.014kyc-agent output contained PII — redacted before logging · redaction_policy: pii-strictredactedc1a7b9…8f3d

14:22:09.211stephan@getkommit.ai approved dossier for account #KYC-2941 · human gate passedapprovald4e8a2…c3b1

14:22:09.440kyc-agent posted result to salesforce/opportunities/KYC-2941 · run completetool_calle5f3d1…7a2c

100%

Of privileged admin actions chained — no sampling, no gaps

SHA-256

HMAC chain. Tampering breaks it; cron sweep verifies on schedule

2×

Export formats today: JSON · CSV. PDF export is roadmap

0ms

Configuration needed. Chain is on by default, always

Access control

Connection-level boundary today. Per-workflow RBAC in design.

Postgres enforces the tenant boundary at the connection level — no app-code path can downgrade it. The full per-workflow RBAC matrix below is the design-partner destination; today the platform runs on better-auth org roles + the RLS enforcement above.

MIXED — SEE BADGES

Capability

Owner

Admin

Builder

Reviewer

Auditor

Deploy to productionpromote workflow · live traffic

✓

—

Edit agents & workflowsmodel, instructions, tools, policies

✓

—

Approve human-in-the-loop gatesreview pending agent actions

✓

—

✓

—

Read audit logs & evaluationsfull run history, lineage

✓

Manage integrations & credentialsOAuth tokens, API keys

✓

—

Configure SSO, SCIM, residencyorg-level security settings

✓

—

Identity · roadmap

SSO + SCIM

Okta, Entra, Google, Ping. Auto-provision members on your verified domain, JIT access. Better Auth SSO integration in design-partner pilots.

Tenant boundary · live

Connection-level RLS

App code connects as a NOBYPASSRLS Postgres role; the database itself filters every read by tenant. Verified at boot against pg_roles so a misconfigured deploy can't downgrade silently.

Separation · roadmap

Builder ≠ Deployer

Per-workflow promotion gates so builders can compose and test but only Owners + Admins can promote to production traffic. Pilots running with design partners.

Credentials · live

Column-level secret storage

Stored secrets — like project environment variables — are encrypted at the column level (AES-GCM); the ciphertext is never written to logs or surfaced in API responses. Encrypting OAuth tokens at rest + BYOK are on the roadmap.

Data controlsMIXED — SEE BADGES

Your data stays in your region. PII redaction is in design.

Workspaces are pinned to a region at creation. PII / PHI redaction before model calls is part of the design-partner roadmap — today, data residency is the live guarantee; redaction policies are the work this section describes.

Input arrives

Raw document or message

Customer contract, support ticket, invoice — whatever your workflow ingests. Stored in your chosen region (today: eu-central-1).

eu-central-1 · live

Redaction layer

PII / PHI stripped before model call

Names, emails, account numbers, health codes — detected and replaced with typed tokens before the prompt is assembled.

in design

Human gate

Approval before sensitive actions

Actions you've flagged sensitive — send email, execute payment, update record — pause for human review before executing.

in design

Output logged

Result captured in audit trail

The final output, post-approval, is logged with a full lineage record: inputs used, model called, who approved, when.

hash-chained · live

Residency · live

EU · Frankfurt today

All workspace metadata, vector indices, and audit events live in Hetzner eu-central-1. UK, US, APAC regions are roadmap — file with design partners if you need a specific region day-one.

Model calls · live

Zero-retention model contracts

Calls to hosted Anthropic + OpenAI models run under their respective zero-retention agreements. Your prompts and outputs are never used to train their models.

On-prem · roadmap

Deploy in your VPC

Customer-managed VPC + BYOK + on-prem distribution are on the design-partner roadmap. Same control plane, different deploy substrate.

Policy enforcement

Policies enforced at runtime, not documented after the fact.

The policy library binding agents to runtime enforcement is on the roadmap, scoped with design partners. The six policy types below are the destination model: attach policies to agents and workflows directly, and the runtime blocks violations before they execute.

DESIGN PARTNER ROADMAP

Rate & quota limits

Cap model spend, token throughput, or API calls per agent per day. Enforced before the call is made.

Data class restrictions

Prevent agents from accessing or returning specific data classes — PHI, PII, PCI controlled per workflow.

Tool allowlists

Specify exactly which tools and integrations an agent may call. Everything else is blocked at the runtime layer.

Output content filters

Block outputs that match regex patterns, semantic categories, or classification labels before they reach downstream systems.

Model allowlists

Control which foundation models agents are permitted to call. Switch models in staging without production access.

Geographic restrictions

Prevent workflows from calling external services or models outside approved regions. Enforced at the network layer.

Incident responseDESIGN PARTNER ROADMAP

When something goes wrong, you can find it in minutes — not days.

Detect

Anomaly detection & alerting

Kommit will monitor token spend, error rates, unusual tool calls, and policy violations in real time. Alerts route to Slack, PagerDuty, or your SIEM.

→Spike in model spend from a single agent
→Tool called outside its allowlist
→Repeated policy violations in a run
→Human gate bypassed or timed out
→Output matched blocked content pattern

Contain & trace

Disable a workflow in one click

Pause or disable any workflow immediately from the control plane. Then trace the incident backward through the audit log — every event, every input, every decision in sequence.

→Isolate the affected workflow without touching others
→Replay any run step-by-step from the audit trail
→Export the full lineage record for your incident report
→Roll back to a previous workflow version
→Re-run with a fixed policy after root-cause analysis

Common questions

What security teams ask us.

Does Kommit train on our prompts or outputs?

No. Hosted model calls (Anthropic, OpenAI) run under each provider's zero-retention agreement, so your prompts and outputs are never used to train their models. Kommit itself never trains anything on customer data.

Can we run Kommit inside our own VPC today?

Not yet. VPC deployment is part of the design-partner roadmap — if you need it day-one, talk to us and we'll share the timeline. Today every Kommit workspace runs in Hetzner Frankfurt (eu-central-1).

What happens if an agent exceeds its policy?

Runtime policy enforcement (rate limits, tool allowlists, data-class restrictions) is part of the design-partner roadmap. Today the hash-chained audit trail captures every privileged admin action; alerting + blocking on policy violations is the work this section describes.

How are admin actions audited today?

Every privileged admin action is written to admin_audit_logs with an HMAC chain — change any record and the chain breaks. Export as JSON or CSV from the admin panel. A cron sweep re-verifies the chain on a schedule.

How long are audit logs retained?

Indefinitely today. Retention windows + SIEM streaming (Splunk, Datadog, Elastic) are roadmap. If your security team needs a specific retention contract before piloting, ask — we can scope it.

Can we restrict which AI models agents are allowed to use?

Not via policy library yet — that's on the design-partner roadmap. Today: every workspace has a configured backbone model (Claude Sonnet 4.6) and switching it requires admin action with audit-trail evidence. Per-workflow model allowlists ship with the policy library.

What we don't claim

No SOC 2 badge. No HIPAA BAA. No EU AI Act conformity.

Kommit ships control libraries that map to these frameworks; your audit, your certification. We provide the evidence trail. For the full compliance posture map and procurement-grade docs, see the Trust Center.

SOC 2

Not a Kommit certification

We ship a control library mapped to Type II criteria + evidence trails baked into the platform. The Type II audit is yours; the evidence belongs to us.

HIPAA

No BAA yet

PHI redaction primitives are roadmap; audit logs are live. We do not yet sign Business Associate Agreements. Covered entities should not rely on Kommit for PHI processing today.

GDPR

Processor, not certified

EU operations + EU sub-processors. We act as a data processor under your DPA. We are not ISO 27701 certified and don't claim to be.

EU AI ACT

Controls, not conformity

Risk-classification + human-oversight primitives are in design-partner pilots. We are not a registered conformity assessment body — customers classify and register their own workflows.

Get in touch

See it on your stack.

30 minutes with our team. We'll walk you through governance, audit, evals — and answer everything procurement will ask. Bring your own NDA; we'll sign in 24 hours.

Book a demo →Request access