Enterprise-Grade Security and Simplicity – Built for AI Agents
Every Agntable deployment combines defence-grade security with a consumer-simple experience. From tenant isolation to one-click scaling, we handle the infrastructure so you can focus on building.
Security Features – Built for Isolation and Protection
Your agents run in defence-grade isolation. We've engineered security at every layer—from the kernel up to the application.
Tenant Isolation
Dedicated Isolated Environment per Agent
Every deployed agent runs in its own sandboxed environment with strict boundary enforcement. Cross-tenant access is impossible at any layer.
Default-Deny Networking
All inbound and outbound traffic is blocked by default. Only the authenticated reverse proxy can reach your agent, and agents can only make DNS lookups and HTTPS calls outward. No unexpected connections, no data leaks.
Hard Resource Quotas
CPU, memory, and storage limits are strictly enforced per agent:
- Starter: 2 vCPU / 4 GB RAM
- Pro: 4 vCPU / 8 GB RAM
- Business: 8 vCPU / 16 GB RAM
No noisy neighbours, no resource contention.
Application-Level Scoping
Every API query is filtered by the authenticated user. Cross-tenant data access is impossible at the application layer, even if lower layers were somehow bypassed.
Runtime Hardening
Unprivileged Execution
All agent processes run as unprivileged system users. Never as root. Even if compromised, an attacker has minimal permissions.
Stripped System Capabilities
Agent environments start with zero elevated capabilities—the principle of least privilege applied at the kernel level.
Privilege Escalation Disabled
Setuid and setgid mechanisms are disabled. No way to gain elevated permissions from within the agent.
Syscall Filtering
A restrictive seccomp profile limits which system calls agent processes can make. Hundreds of syscalls are blocked, dramatically reducing the attack surface.
Strict Security Policy Enforcement
The most restrictive security profile available is enforced, audited, and warned on every agent environment. No exceptions, no shortcuts.
No Orchestration Access
Even a fully compromised agent process cannot discover or interact with the underlying infrastructure. The agent sees only itself.
Secret Management
API Keys Never Exposed to Frontend
The UI only receives boolean flags indicating whether a key is configured—never the actual value. Your keys stay hidden.
Per-Agent Authentication Tokens
Each agent instance gets a unique 256-bit authentication token. Compromising one agent yields nothing useful for attacking others.
Encrypted Storage
User API keys (OpenAI, Anthropic, Google) are stored encrypted at rest using AES256 encryption. They're injected into the agent's environment at boot time only—never written to disk inside the agent.
Infrastructure Secrets Vault-Encrypted
All infrastructure credentials (DNS, storage, database) use AES256 encryption at rest. Even we can't read them without the vault.
Network & Transport Security
End-to-End Encryption
All inter-node traffic is encrypted via WireGuard mesh tunnels. No plaintext communication anywhere in the infrastructure.
HTTPS-Only Ingress
All HTTP traffic is automatically redirected to HTTPS. Wildcard TLS certificates auto-renew via Let's Encrypt. Your agent is always served securely.
IP-Whitelisted Management Access
SSH and management APIs are restricted to known IP addresses via cloud firewall rules. No anonymous access, no brute force attempts.
Egress Filtering
Agents can only reach the internet over HTTPS (port 443) and DNS. All other outbound protocols are blocked. No data exfiltration over unexpected channels.
Authentication & Authorization
Multi-Provider Authentication
Support for email/password with bcrypt hashing, Google OAuth2, and GitHub OAuth. All require verified email addresses before access.
Real-Time Authenticated WebSocket Channels
Live status updates are scoped per user via session-verified WebSocket connections. You see only your agents, your data, and your updates.
Session-Based API Authentication
All API endpoints require an authenticated session before any operation. No unauthenticated access to any resource.
Deployment & Operational Security
Atomic Provisioning
Infrastructure is created in strict dependency order. If any step fails, all provisioned resources are automatically torn down. All-or-nothing deployment means no half-baked, insecure states.
Automated Retry with Exponential Backoff
Transient failures are retried up to 3 times with increasing delays before triggering full cleanup. Self-healing without manual intervention.
Health Monitoring
Liveness and readiness probes continuously verify agent health. Unhealthy instances are automatically restarted. Your agent stays up.
Reverse-Order Teardown
When an agent is destroyed, resources are deallocated in reverse dependency order. No orphaned artefacts, no lingering security risks.
SSH Hardened
Password authentication disabled. Root login disabled. Ed25519 key-only access for a single admin user. If you need SSH access, it's done right.
Storage Security
Isolated Persistent Volumes
Each agent gets its own dedicated storage, mounted exclusively to that instance. No shared volumes, no cross-agent data leaks.
Object Storage Encryption
Persistent data is backed by encrypted S3-compatible object storage. AES256 at rest, always.
Ephemeral Scratch Space
Temporary directories use memory-backed storage that is wiped on agent restart. No sensitive data persists where it shouldn't.
// compliance & certifications
Compliance & Certifications – Built to the Highest Standards
agntable meets the security requirements of enterprises, governments, and regulated industries—automatically, with no extra work for you.
CIS Benchmark Hardened
Our compute runtime is hardened against the CIS Benchmark with controls built directly into the platform. We pass with minimal operator intervention, giving you enterprise-grade configuration out of the box.
FIPS 140-2 Validated Cryptography
All core platform components are compiled with FIPS 140-2 validated cryptographic libraries. Government-grade encryption standards across the entire stack—automatically.
DISA STIG Certified Runtime
Our orchestration layer is the only distribution of its kind to hold a DISA-approved Security Technical Implementation Guide (STIG). It meets the stringent security requirements of the U.S. Department of Defence.
ISO 27001 Certified Data Centres
All compute infrastructure runs in data centres with ISO 27001-certified Information Security Management Systems, independently audited by third-party certification authorities.
GDPR Compliant Hosting
All EU agent workloads run in European data centres (Germany and Finland) under full GDPR compliance. Data Processing Agreements aligned to GDPR Article 28 are standard.
SOC 2 Compliant Storage
Our object storage layer is SOC 2 audited and deployed in SOC 2, ISO 27001, and PCI-DSS certified data center regions.
HIPAA-Ready Storage
The storage backend supports HIPAA and HITECH compliance for protected health information (PHI/ePHI). Healthcare use cases are fully supported.
FedRAMP-Ready Storage
Our storage tier is compliant with FedRAMP Moderate controls. Federal government workloads are welcome.
SOC 2 Compliant Metadata Layer
Agent metadata and file system state are managed through a SOC 2 certified cloud service with enterprise-grade security controls.
// infrastructure & operations
Infrastructure & Operations – Always On, Always Protected
We monitor your agents 24/7, back up your data daily, and scale your resources instantly—so you never have to.
24/7 Health Monitoring
We watch your instance around the clock. Liveness and readiness probes verify agent health continuously. If something fails, we restart it automatically.
Daily Automated Backups
Point-in-time recovery for your agent's data, configuration, and memory. Restore from any backup with one click. Peace of mind included.
One-Click Scaling
As your workloads grow, upgrade CPU and RAM instantly. No migration, no configuration changes, no downtime.
Automatic Security Updates
We apply security patches and feature updates automatically, with zero downtime. You're always running the latest, safest version.
99.9% Uptime Guarantee
We're confident in our infrastructure. If we fall below 99.9% uptime, you get service credits. That's how sure we are.
Multi-Region Redundancy
Deploy agents across multiple regions for high availability. If one region experiences issues, your other agents keep running.
// developer experience
Developer Experience – Built for Humans
Powerful when you need it, simple when you don't.
API-First Design
Everything we do is exposed via API. Deploy agents, manage keys, check status—all programmable.
WebSocket Live Updates
Real-time status streaming means your dashboard is always in sync. Build custom monitoring on top if you need it.
SSH Access When You Need It
For advanced use cases, hardened SSH access is available. Ed25519 keys only, IP-whitelisted, audited.
Post-Deployment Configuration
Change API keys, update settings, modify environment—all without rebuilding your agent.
Bring Your Own Domain
Professional, branded URLs for every agent. Free SSL included.
Comprehensive Logging
All agent activity is logged and available for debugging. Know exactly what happened, when.
// faq
Frequently Asked Questions
Every agent runs in its own sandboxed environment with strict boundary enforcement. Default-deny networking, per-agent resource quotas, and application-level scoping make cross-tenant access impossible at any layer.
We're CIS Benchmark hardened, FIPS 140-2 validated, and DISA STIG certified. Our data centres are ISO 27001 certified, and our storage is SOC 2 compliant. We support GDPR, HIPAA, and FedRAMP requirements.
Yes. API keys are stored encrypted at rest using AES256. They're never exposed to the frontend—the UI only shows whether a key is configured. Keys are injected at boot time and never written to disk inside the agent.
We monitor every instance 24/7 with liveness and readiness probes. Unhealthy instances are automatically restarted. If something deeper breaks, our engineering team is alerted immediately.
Yes. Upgrade CPU and RAM with one click with plans—no migration, no downtime, no configuration changes.
In EU data centres (Germany and Finland) or US data centres, depending on your selection. All EU workloads are fully GDPR compliant.
Yes. Daily automated backups are included on all plans. Point-in-time recovery for your agent's data, configuration, and memory.
For advanced use cases, yes. SSH is hardened with password auth disabled, root login disabled, and Ed25519 key-only access restricted to known IP addresses.
Our storage backend is HIPAA-ready and FedRAMP-ready. All plans include advanced security features for regulated industries.
No. But every plan includes a 7-day money-back guarantee.
// get started
Ready to Experience Enterprise-Grade AI Hosting?
Stop worrying about security, compliance, and infrastructure. Start building with the most trusted managed AI hosting platform.
3‑minute deployment · 7-day money-back guarantee · Cancel anytime