Agent Secret Store DocsSign up
🔒 Security

Compliance Roadmap

Current compliance posture and our roadmap to SOC 2, GDPR, HIPAA, and PCI-DSS certifications — with technical details on how our encryption architecture satisfies each framework.

Current compliance status

🗓️

SOC 2 Type I

Roadmap: Month 6

📋

SOC 2 Type II

Roadmap: Month 12+

🇪🇺

GDPR

Compliant practices

🏥

HIPAA

Technical controls ready

Enterprise compliance packages

Enterprise customers can request our security questionnaire responses, architecture documentation, and penetration test summaries under NDA. Contact security@agentsecretstore.com.

SOC 2 roadmap

SOC 2 is the primary compliance standard for SaaS credential management. We are pursuing Type I (point-in-time) first, then Type II (6-month observation period). The security foundations are already in production.

Month 1–2

Security foundations

Complete
  • Envelope encryption (AES-256-GCM + KMS)
  • Role-based access control
  • Complete audit logging
  • Data-in-transit TLS 1.3
  • IP allowlisting
2
Month 3

SOC 2 Type I — Gap assessment

  • Engage audit firm (Vanta-partnered)
  • Identify control gaps
  • Remediate findings
  • Document all security policies
  • Annual pen test
3
Month 6

SOC 2 Type I — Certification

  • Point-in-time audit by CPA firm
  • Issue SOC 2 Type I report
  • Available to Enterprise customers under NDA
  • Vendor security questionnaire template
4
Month 12+

SOC 2 Type II

  • 6-month observation period audit
  • Issue SOC 2 Type II report (higher assurance)
  • Continuous monitoring via Vanta
  • Annual re-certification

GDPR

Agent Secret Store processes minimal personal data — primarily account holder email addresses and IP addresses in audit logs. Here's how we handle GDPR obligations:

Data processing

  • Secret values are encrypted with AES-256-GCM. Anthropic employees cannot read your secrets.
  • Audit logs contain IP addresses (legitimate interest: security monitoring).
  • Account data (email, billing) stored in Cloud SQL, GCP us-central1.
  • Data Processing Agreement (DPA) available for Enterprise customers on request.

Encryption

  • Data at rest: AES-256-GCM with per-secret DEKs and per-tenant KEKs.
  • Data in transit: TLS 1.3 for all API connections.
  • KMS keys stored in HSM-backed GCP Cloud KMS.
  • Tenant KMS key deletion permanently destroys all secrets for that tenant.

Data deletion (right to erasure)

  • Deleting a secret purges the ciphertext and DEK. The plaintext is mathematically irrecoverable.
  • Tenant deletion triggers async purge of all secrets, audit logs, and KMS keys.
  • Deletion requests fulfilled within 30 days per GDPR Article 17.
  • Audit logs are retained for the contracted retention period, then purged.

Sub-processors

  • GCP (Cloud Run, Cloud SQL, Cloud KMS) — infrastructure
  • Stripe — payment processing
  • Customer.io — transactional email
  • Cloudflare — CDN and DDoS protection
  • Full sub-processor list available at agentsecretstore.com/legal/sub-processors

HIPAA considerations

Agent Secret Store does not store Protected Health Information (PHI). However, customers may store credentials that are used to access PHI (e.g. EHR API keys, database passwords for healthcare databases). In these cases:

§164.312(a)(1) — Access Control

Scoped tokens implement unique user ID and automatic logoff (TTL). Emergency access can be granted via approval override.

§164.312(a)(2)(iv) — Encryption and Decryption

AES-256-GCM satisfies NIST SP 800-111 encryption standard for data at rest.

§164.312(b) — Audit Controls

All access logged with actor ID, timestamp, IP, and resource path. Exportable for HIPAA audit requirements.

§164.312(c)(1) — Integrity

GCM authentication tags verify ciphertext integrity. Tampered ciphertext is detected and rejected at decrypt time.

§164.312(e)(2)(ii) — Transmission Encryption

All API traffic over TLS 1.3. Connections using TLS < 1.2 are rejected.

📋

Business Associate Agreement (BAA)

BAA available for Enterprise customers who store healthcare-adjacent credentials. Contact security@agentsecretstore.com.

PCI-DSS notes

Agent Secret Store is designed to store payment processor credentials (Stripe keys, PayPal API credentials, etc.) but does not store Primary Account Numbers (PANs), cardholder names, or CVVs — data that falls under PCI-DSS Requirement 3's most stringent protection requirements.

Req 7: Restrict access to system components

Scoped tokens enforce least-privilege access to payment credentials. Token scope limits which components can reach the Stripe key.

Req 8: Identify users and authenticate

Every access is attributed to a specific actor (token ID, agent ID, or human member). Shared credentials are not supported.

Req 10: Log and monitor access

Immutable audit trail for all payment credential access. Exportable as CSV for QSA review. 90-day hot retention (Growth), 365 days (Enterprise).

Req 12.3.2: Targeted risk analysis

Payment credentials should be classified as critical tier, requiring approval for each token issuance. Single-use tokens recommended for transaction operations.

PCI-DSS scope carve-out

Agent Secret Store stores Stripe secret keys — these are API credentials, not cardholder data. Your PCI-DSS scope should be defined by your QSA. Using a vault for payment credentials can narrow scope by ensuring keys are only accessible by specifically scoped agents on known IP addresses.

Data residency

All data is currently stored in a single GCP region. Multi-region and EU-residency options are on the Enterprise roadmap.

ComponentRegion (v1)Roadmap
Cloud Run API + Frontendus-central1 (Iowa)EU (europe-west1) — Q3 2025
Cloud SQL PostgreSQLus-central1 (Iowa)EU + APAC — Q4 2025
GCP Cloud KMS (KEKs)us-central1 (Iowa, HSM)Regional KMS per tenant — Enterprise
Firestore (dashboard state)us-central1Multi-region US — Q3 2025
BigQuery (cold audit log)us-central1EU dataset for GDPR — Q3 2025
Cloudflare CDNGlobal edge (anycast)Already global

Audit export for compliance teams

Compliance auditors typically request evidence of access controls, logged access to sensitive data, and key management records. Export the relevant events via the API:

Shell
# SOC 2 evidence: quarterly access report for auditors
curl https://api.agentsecretstore.com/v1/audit/export \
  -H "Authorization: Bearer $ASS_AGENT_KEY" \
  -H "Accept: text/csv" \
  -G \
  --data-urlencode "since=2025-01-01T00:00:00Z" \
  --data-urlencode "until=2025-03-31T23:59:59Z" \
  --data-urlencode "event_types=secret.read,secret.created,secret.deleted,token.issued,member.invited,member.removed,approval.granted,approval.denied" \
  -o soc2-q1-2025-audit.csv

# HIPAA: all credential access by a specific agent (BA activity log)
curl https://api.agentsecretstore.com/v1/audit/export \
  -H "Authorization: Bearer $ASS_AGENT_KEY" \
  -H "Accept: text/csv" \
  -G \
  --data-urlencode "actor_id=ast_agent_ehr_processor" \
  --data-urlencode "since=2025-01-01T00:00:00Z" \
  -o hipaa-ehr-agent-access.csv

How encryption satisfies compliance requirements

Our envelope encryption architecture is specifically designed to satisfy common compliance control requirements. Here's the technical mapping:

Shell
# Architecture: how envelope encryption satisfies compliance

# Each secret's encryption chain:
#
# Tenant KEK (GCP KMS, HSM-backed)
#   └── Secret DEK (AES-256-GCM, unique per secret)
#         └── Secret value (ciphertext + IV)
#
# What this means for compliance:
#
# SOC 2 CC6.1 — Logical and physical access controls:
#   ✅ All data encrypted at rest with AES-256
#   ✅ KMS keys are HSM-backed (hardware security module)
#   ✅ Key access requires IAM role with dedicated audit trail
#
# PCI DSS 3.4 — Render PAN unreadable anywhere it is stored:
#   ✅ Payment credentials never stored in plaintext
#   ✅ Each secret uses a unique DEK (key-per-secret isolation)
#   ✅ Compromising one secret does not expose others
#
# HIPAA §164.312(a)(2)(iv) — Encryption and decryption:
#   ✅ AES-256-GCM satisfies NIST-approved encryption standard
#   ✅ Access controls documented in audit log
#   ✅ Workforce access minimized to Viewer / Auditor roles

Security Best Practices

Least-privilege design, IP allowlisting, incident response.

Encryption Architecture

Deep dive into envelope encryption and KMS key hierarchy.

Audit Trail

Query and export the event log for compliance evidence.

Approval Workflows

Human approval gates for critical secret access.