Security

How we protect your data, agents, and infrastructure.

Encryption

API keys are encrypted at rest using AES-256-GCM with a server-side encryption key. All data in transit uses TLS 1.3. Database connections use SSL with certificate verification.

Data Isolation

Every database table enforces Supabase Row-Level Security (RLS). Users can only access their own agents, tasks, conversations, and configuration. Service-level operations use a separate privileged client with explicit scoping.

Agent Sandboxing

Sandboxed agents run in isolated environments (E2B or Fly.io) with no access to your production infrastructure. Each sandbox is ephemeral and destroyed after task completion. Virtual agents operate in a constrained context with no filesystem or network access.

Permission Model

Every agent has granular permissions (filesystem, network, shell, git, database, etc.) that default to “ask” or “blocked.” Decision gates require human approval before agents take sensitive actions. Three control levels (Full Auto, Supervised, Strict) let you dial the autonomy.

Spend Controls

Daily spend ceilings are enforced atomically at the database level. When an agent hits its ceiling, it is immediately paused and a decision gate is created. No further API calls are made until you explicitly approve.

Audit Trail

Every significant action is logged to an auditable ledger: task creation, plan approval, agent provisioning, permission changes, and spend events. The ledger provides a complete timeline for compliance and debugging.

Reporting Vulnerabilities

If you discover a security issue, please email security@getqpro.com. We will acknowledge within 48 hours and provide updates as we investigate.