Korelos

Trust & Safety

Security at Korelos AI Studio

We treat security as a core feature, not an afterthought. Here’s how we protect your data and agents.

Last reviewed: April 2026

Found a vulnerability? Please report it responsibly to security@korelos.com. We aim to respond within 24 hours and provide a fix within 72 hours for critical issues.

Infrastructure Security

  • Cloud provider — hosted on Google Cloud Platform with SOC 2 Type II and ISO 27001 certifications.
  • Network isolation — all workloads run in private VPCs with strict firewall rules. No direct public access to internal services.
  • DDoS protection — all endpoints are protected by Google Cloud Armor with rate limiting and traffic scrubbing.
  • Redundancy — multi-region deployment with automatic failover for the API and agent execution layer.

Data Encryption

  • In transit — all data transmitted between your systems and Korelos APIs is encrypted with TLS 1.2+. We enforce HTTPS for all endpoints.
  • At rest — all stored data, including agent configurations, memory, and execution logs, is encrypted with AES-256.
  • API keys — API keys are stored as one-way hashed values. We never store or display keys in plaintext after initial generation.

Access Controls

  • Role-based access — team members can be assigned Admin, Developer, or Viewer roles with granular permission scopes.
  • API key scoping — keys can be scoped to specific agents, operations (read/write/execute), and IP ranges.
  • Multi-factor authentication — MFA is available for all accounts and required for Enterprise plans.
  • Session management — sessions expire automatically after inactivity and can be remotely revoked from your account settings.

Agent Execution Isolation

Each agent execution runs in an isolated sandboxed environment. Agents cannot access resources outside their defined tool scope, cannot communicate with other tenants’ agents, and have strict execution time and resource limits enforced at the infrastructure level.

Audit Logging

All API calls, agent runs, configuration changes, and access events are logged with timestamp, user identity, IP address, and action detail. Audit logs are immutable, stored separately, and available for export on Pro and Enterprise plans.

Compliance

  • SOC 2 Type II — planned certification covering security, availability, and confidentiality.
  • GDPR — we comply with GDPR requirements for EU data subjects, including data processing agreements, right to erasure, and data portability.
  • CCPA — we comply with California Consumer Privacy Act requirements.
  • Enterprise — custom compliance packages including HIPAA BAAs and FedRAMP-aligned configurations are available on Enterprise plans.

Vulnerability Disclosure

We operate a responsible disclosure program. If you discover a security vulnerability in Korelos AI Studio, please email security@korelos.com with details. We ask that you:

  • Give us reasonable time to address the issue before public disclosure
  • Not access or modify user data during research
  • Not perform denial-of-service attacks

We acknowledge all valid reports and work to resolve critical issues within 72 hours.

Incident Response

We maintain a documented incident response plan. In the event of a data breach affecting your data, we will notify affected customers within 72 hours as required by GDPR and applicable law. Security advisories are published at our status page.