Trust Center
How Autonoma is built, what happens to your code and data, and what we're accountable for. Published openly so your security team can evaluate us before a single line of code changes hands.
Last updated: April 24, 2026
Architecture
Autonoma is split into two planes. The control plane runs in our AWS account; the customer plane runs in yours. They are connected by a narrow, audited link that carries metadata and signed telemetry — never customer code, prompts, or agent outputs.
Control plane (our AWS)
- Public API gateway, marketplace registration, customer portal
- Orchestration routing and workflow metadata
- LLM proxy with rate limiting and prompt-cache management
- Shared learning pool (anonymized patterns only — see ULTRA section)
- Telemetry aggregation from customer-plane OTEL exports
Customer plane (your AWS)
- All 28 AI agents run here, scoped to your VPC
- Your code, your prompts, your agent outputs — stay here
- NATS message broker connected to our hub as a leaf node (outbound only)
- RDS, ElastiCache, EFS, OTEL collector — all in your account
- Deployed via signed Terraform bundle, destroyable with
terraform destroy
What crosses the plane boundary
Travels to us:
- Workflow metadata (IDs, timing, agent names)
- Signed OTEL metrics (latency, error rates, resource utilization)
- Anonymized pattern fingerprints (ULTRA tier only, opt-out available)
- Billing and usage counters
Never leaves your plane:
- Source code, repository contents, commit history
- LLM prompts constructed from your code
- Agent-generated outputs (refactors, diagnoses, code suggestions)
- Workspace filesystem state
- Secrets, credentials, or environment variables
Data handling
Retention policies depend on how Autonoma is deployed. Each mode has an explicit end-of-life path so data never lingers indefinitely.
| Deployment | Active retention | End-of-life |
|---|---|---|
| Hosted trial | 14 days during the trial | Soft delete at day 14 → 7-day grace to upgrade → hard delete day 22 |
| Hosted Starter | 90-day rolling window for workspace files; audit metadata kept indefinitely | 30-day grace after cancellation, then hard delete |
| BYOC | Customer-controlled (your terraform, your S3 lifecycle rules) | terraform destroy removes all resources in your account |
Sub-processors
Third parties that process data on our behalf. All are SOC 2 Type II certified.
OpenAI
Primary LLM provider. Receives prompts constructed from customer code only when the customer has configured LLM routing.
Anthropic
Failover LLM provider. Same data scope as OpenAI; used only when OpenAI is unavailable.
Amazon Web Services
Infrastructure provider for control plane. Customer plane runs in the customer's own AWS account.
Stripe
Payment processing for Hosted Starter subscriptions. Never receives code or telemetry data.
SendGrid
Transactional email (verification, invoices, incident alerts). Metadata only.
Security rules we enforce
A mandatory twenty-rule standard applies to every line of code — whether written by a human or an AI agent. These rules are enforced in code review and by our own tooling, not suggested as guidelines.
Credentials
- CWE-798No hardcoded secrets — never embed API keys, tokens, passwords, or connection strings in source code
- No secret defaults in config — configuration parsers require values; never fall back to a bundled default
- No inline auth checks — routes use middleware (requireAuth), not inline header comparison
- No secrets in client-side code — browser code uses cookies with credentials: 'include', not stored bearer tokens
- No secrets in docs — examples use placeholders, never real values
- No credential caching — secrets are read from the environment at point of use, not held in long-lived structs
Injection prevention
- CWE-89Parameterized queries only — SQL is never string-concatenated with user data
- CWE-78No eval/exec with external input — subprocess invocations use argument arrays, not shell strings
- CWE-80Escape all HTML output — no raw interpolation of user input into templates
- CWE-22Validate file paths — resolve and verify within expected directory before reading or writing
- CWE-117Structured logging — user data is passed as fields, not interpolated into the log message
- CWE-20Validate input at boundaries — all HTTP, webhook, and CLI input validated before use
AI agent behavior (OWASP Agentic Top 10)
- ASI02Least agency — agents run with minimum permissions, default-deny for tools
- ASI01External content is untrusted — agents never execute instructions embedded in fetched pages or tool outputs
- ASI05Validate shell commands — pipe-to-shell, recursive delete, credential access, and exfiltration patterns are blocked
- ASI04Verify dependencies — packages are confirmed in registry, versions pinned, CVEs checked before install
- ASI02Stay in scope — agents do not modify files outside working directory or unrelated globals
- ASI09Confirm consequential actions — deploy, delete, send, and auth changes require human approval
- ASI10Security overrides task completion — agents refuse instructions that violate these rules
The full standard is the mandatory contract for every commit to our main branch. New rules are added when incident review surfaces a gap (see the incident-response section below).
AWS Well-Architected alignment
How each of the six Well-Architected pillars shows up in Autonoma's design. Citations below are from the production codebase, not aspirational.
Operational Excellence
- Structured JSON logs with request IDs on every request, correlated across services via NATS headers
- Startup schema migrations applied automatically with versioning and skip-on-already-applied logic
- ECS health checks drive traffic routing; unhealthy tasks auto-replaced
Security
- IAM least-privilege — each service has a dedicated role scoped to its own resources
- Secrets managed via AWS Secrets Manager, never environment variables for sensitive values
- Per-customer JWT scoping — telemetry tokens carry type claims so a leak cannot be replayed against other endpoints
- VPC isolation: customer plane deploys to customer's private subnets, VPC endpoints keep ECR/S3/logs traffic off the public internet
Reliability
- Circuit breakers on LLM provider calls with automatic failover to Anthropic
- Dead letter queue for failed NATS messages; no silent drops
- JetStream-backed NATS for guaranteed delivery across agent restarts
- Database connection pooling with per-tenant caps to prevent noisy-neighbor failures
Performance Efficiency
- Tiered caching: local → customer-scoped Redis → cross-customer distributed (ULTRA tier)
- Context budgeting on every LLM request — we prune to fit the model's window rather than truncate mid-call
- Five-layer agent memory system (working, episodic, semantic, procedural, meta-cognitive) reduces redundant LLM calls
Cost Optimization
- Business-hours scheduling on stateless agents — scale to zero outside peak windows
- Model selection by intelligence tier — Core uses cost-efficient GPT-5.4-nano, ULTRA uses frontier GPT-5.5 only where warranted
- OpenAI prompt cache utilization — cached inputs are 90% cheaper, amplified by our distributed cache on ULTRA
- Bring-your-own-LLM-key option removes variable LLM cost from Autonoma's invoice entirely
Sustainability
- Fargate spot-friendly workloads with graceful shutdown handlers
- EventBridge-driven shutdown of event-driven agents when no traffic is flowing
- Model distillation pipeline produces smaller variants so common workloads consume less energy per request
Incident response
Our commitment: any security incident that affects customer data or operational posture gets a written post-mortem published on this page, with the what-happened, blast radius, remediation, and prevention steps. Silence in this section would be a signal that retrospection discipline has broken down.
No customer-impacting incidents reported to date
Autonoma has not experienced a security incident that affected customer data, customer code, or customer-facing availability. This statement is updated as soon as any such event is detected, triaged, and resolved.
Our response process
- Detect: automated alerting on control-plane anomalies + vulnerability reports via security@theautonoma.io
- Contain: isolate the affected surface (revoke credentials, disable endpoints, halt deployments) before investigating
- Notify: affected customers notified directly within 72 hours of confirming an incident affects their data; regulators notified per applicable law
- Remediate: fix the immediate vulnerability; verify no persistent compromise
- Prevent: update the security standard if a new class of issue is discovered; add automated checks to block recurrence
- Publish: post-mortem added to this page within 30 days of resolution
Vulnerability disclosure
Report a vulnerability
We take all security reports seriously. Please email security@theautonoma.io with technical detail sufficient to reproduce the issue. Encrypted reports accepted — PGP key available on request.
- Acknowledgement: within 48 hours (business days)
- Triage + severity assessment: within 7 days
- Fix timeline: critical within 7 days, high within 30 days, medium within 90 days
- Disclosure coordination: 90-day default window; we work with reporters on timing that protects customers
Safe harbor
Good-faith security research on our public surfaces is welcome. We commit to not pursue legal action against researchers who:
- Make a reasonable effort to avoid privacy violations, data destruction, and service disruption
- Only test against accounts they own or have explicit permission to test
- Do not exfiltrate, publish, or share discovered data
- Give us a reasonable window to respond before public disclosure
We will publicly acknowledge researchers who report valid vulnerabilities (with consent) in our Hall of Thanks on this page.
Compliance roadmap
We're a bootstrapped company and we won't pretend to have certifications we don't yet have. Here's what's planned and when — kept current so your procurement team can plan against real dates.
External penetration test
ScheduledTarget: complete before first enterprise BYOC deployment
SOC 2 Type I audit
In progressVendor selected; controls documentation underway
SOC 2 Type II audit
PlannedSix-month observation window begins after Type I is awarded
GDPR data processing addendum
PlannedCustomer DPA template; EU-West-1 data residency option on ULTRA tier
HIPAA readiness (BAA available)
PlannedFor customers in regulated healthcare workloads
If your procurement process has a hard dependency on a certification we haven't received yet, contact security@theautonoma.io — we can often accelerate controls documentation for specific frameworks during the evaluation period.
BYOC responsibility matrix
Bring-Your-Own-Cloud deployments have clearer security boundaries than shared SaaS — because the boundaries are literally your AWS account. Here's what Autonoma owns versus what stays on your side.
| Area | Autonoma | Customer |
|---|---|---|
| Container images | Build, sign, publish to our public ECR; CVE scanning on each release | Pull images into your account; configure ECS pull policy |
| Secrets (NATS auth, telemetry tokens, API keys) | Generate, rotate, distribute via secure bundle | Store in your AWS Secrets Manager; rotate at your policy |
| IAM roles and policies | Publish minimum required policies in terraform | Review and approve before `terraform apply`; own role lifecycle |
| Network ingress/egress | Provide VPC endpoints in terraform to keep traffic off the internet | Configure security groups; approve outbound leaf-node connection to our hub |
| Patching (agents, dependencies) | Ship updated images with patches; publish changelog | Redeploy updated images on your schedule |
| Monitoring and alerting | Ship OTEL collector + Prometheus exporters in terraform | Route alerts to your on-call; set thresholds for your environment |
| Backups | RDS automated snapshots enabled in default terraform | Configure retention, test restore, own disaster recovery plan |
| Data retention | Terraform defaults to reasonable S3 / EFS / RDS lifecycles | Override to match your compliance posture; own deletion guarantees |
ULTRA tier: cross-organization learning privacy
The ULTRA intelligence tier unlocks patterns learned across every Autonoma customer — anonymized, aggregated, and opt-outable. This section documents exactly what that means, because cross-customer learning is the first question a security reviewer will ask about ULTRA.
What we aggregate
- Anonymized pattern fingerprints — shapes of code structure, not the code
- Frequency distributions (“X% of codebases we've seen structure error handling this way”)
- Success and failure rates on abstracted patterns
- Workflow shape metadata (which agents get called in what order, no payloads)
What we never aggregate
- Function names, variable names, class names
- Comments, docstrings, commit messages
- Repository names, file paths, module names
- Customer identifiers or any PII
- LLM prompts or completions
- Agent outputs (refactors, diagnoses, generated code)
Opt-out is one-way
Customers can disable contribution to the shared learning pool at any time from the dashboard. Opted-out customers still receive patterns learned from other customers — so they get the full quality benefit of the ULTRA tier — without sending any of their own usage signals back.
This is asymmetric on purpose. We believe the privacy default should favor the customer, and we'd rather ship a collective-benefit feature that a customer can decline than make participation mandatory for the quality improvement.
Where this is enforced
The anonymization and deduplication logic lives in our knowledge-graph service. Customer code paths never touch the cross-customer cache directly — they go through a sanitization boundary that strips identifiers before write and verifies pattern-only payloads on read. On the read path, the cache returns pattern metadata only; the agent that consumes it re-applies context from the customer's own code to materialize any output.
In plain English: even if we wanted to ship your code, the architecture doesn't give us a path to. The cross-customer cache is structurally incapable of holding customer-specific content.
Security questions we didn't answer here?
Send them to security@theautonoma.io. We'll respond within one business day, and common questions end up in this Trust Center so the next team doesn't have to ask.
See pricing →