Security and trust at DMZAgent.

What DMZAgent is audited against.

DMZAgent is in active preparation for SOC 2 Type II. The Type I report is targeted for Q3 2026; Type II follows the full observation window. Customers under a non-disclosure agreement can see the current report and the active control matrix on request.

• SOC 2 Type II In progress. Control framework in place; observation window underway; auditor engaged.
• ISO 27001 Planned. Gap assessment scheduled following SOC 2 Type II issuance.
• HIPAA Business Associate Agreement available for customers in regulated clinical settings. See sales.
• GDPR / UK GDPR Data Processing Addendum available. Standard Contractual Clauses for cross-border transfers. See the DPA.
• Penetration testing External penetration test on each major release. Letter of attestation available under NDA.
• Audit posture for controlled records Records marked as controlled are subject to a separate retention and review path; release requires two-party authorization recorded to the ledger.

Encryption at rest and in transit.

Every byte DMZAgent stores is encrypted at rest. Every byte DMZAgent moves on the network is encrypted in transit. Keys are managed by the underlying edge platform; rotation is automated and audited.

Why the record can be trusted to hold up.

DMZAgent is record-keeping infrastructure. The record has to be verifiable, and a customer or an auditor has to be able to detect any change after the fact. The ledger is hash-chained for that reason.

Each ledger entry references the cryptographic hash of the prior entry. The chain head is published periodically to a tamper-evident anchor under a workspace-controlled identifier. Any modification to a historical entry breaks the chain at that point and is detectable on the next verification pass. Snapshots of Canon manifests are written to immutable object storage with read-only retention; the manifest itself is signed and the signature is logged.

Where DMZAgent runs and how the parts talk.

DMZAgent is built on a globally distributed edge platform. The control plane runs as edge workers; the reasoning plane runs in managed containers reached over a private service binding. There is no public endpoint on the reasoning plane.

• Edge entry point All public traffic terminates at the edge worker fleet. DDoS protection, WAF, and bot management are layered at this tier.
• Reasoning plane The reasoning service runs in managed containers reached only over a private service binding from the API Worker. No inbound public route exists.
• Record store Per-region D1 instances hold the canonical record. Reads stay in-region; cross-region replication is opt-in and described in the DPA.
• Snapshot store R2 buckets hold canonical Canon manifests and audit packet exports under workspace-scoped paths.
• Outbound model calls Reasoning calls leave the cluster over named egress IPs with mTLS. Customer-supplied model endpoints are honored on the self-hosted tier.

Where customer data lives, and for how long.

• Default region United States — North Virginia primary, Oregon failover.
• EU region Frankfurt primary, Dublin failover. Selectable at workspace provisioning. Data does not leave the selected region for storage.
• UK region London. Available on request.
• Retention — behavior events Retained for the term of the agreement plus the regulatory hold window the customer specifies. Default ninety days post-termination.
• Retention — audit packets and ledger Retained for seven years after the agreement ends, consistent with common audit retention windows. Customer-configurable in the DPA.
• Deletion on request Within thirty days, with a certificate of destruction issued to the workspace administrator.

Who can see what, on the customer side and ours.

How to report something you found.

DMZAgent welcomes coordinated disclosure. Send the report to the security pathway on the contact page or directly to security@dmzagent.com. Encrypted mail is welcome; the PGP key is published on the contact page.

• Acknowledgement Same business day, Pacific hours.
• Triage Severity assignment within two business days, with the reporter copied on the triage note.
• Remediation plan Documented within five business days. Critical issues are mitigated immediately while the longer fix is staged.
• Disclosure window Ninety days from acknowledgement, or earlier by agreement with the reporter.
• Safe harbor Good-faith research that respects customer data, avoids service degradation, and follows the disclosure window is welcomed and will not be pursued.

The paperwork that backs this page.

The trust posture on this page is published; the binding version lives in the agreements your account executive provides. Plain-language summaries are linked below.

• Terms of Service Plain-language summary. The binding agreement is issued by sales on signature.
• Privacy Policy What DMZAgent collects, how it is used, and who it is shared with.
• Data Processing Addendum DPA summary, including sub-processors and the Standard Contractual Clauses reference.
• Business Associate Agreement Available on request for customers handling protected health information. Contact sales.

The same controls reach everyone.

DMZAgent publishes a conformance posture against the Section 508 Refresh and WCAG 2.1 Level AA. Both the public marketing site and the product dashboard are built to that target. The posture below reflects the state of the public commitments; the internal audit log behind each is available on request.

• Standards targeted WCAG 2.1 Level AA across every public surface. Section 508 Refresh §1194.22 (Web) and §1194.31 (Functional Performance) for the product dashboard and any documentation a customer or auditor reaches without an account.
• Keyboard reachability Every interactive control is keyboard reachable in the visible focus order. A skip link on every marketing page and a focused-visible outline on every interactive element satisfy WCAG 2.4.1 and 2.4.7.
• Names, roles, and values Form fields are programmatically associated with their visible labels. Icon-only buttons carry an accessible name. Destructive confirmations open a focus-trapped dialog with role=dialog and aria-modal in place of the browser confirm() dialog. Satisfies WCAG 1.3.1 and 4.1.2.
• Color and contrast Body text and interactive controls meet WCAG 1.4.3 at Level AA contrast on the federal navy / paper palette. The federal palette tokens are pinned in our internal design system so off-token combinations cannot ship.
• Documented exceptions Known gaps and their remediation timelines are tracked internally and disclosed on request under NDA. There is no exemption for an accessibility regression — a failing page is a release blocker.
• How to report a barrier Anyone — customer or not — can report an accessibility issue through contact. We acknowledge within two business days and publish a remediation plan within ten. Reports are triaged on the same queue as security disclosures.