Autonomy you can trust
We give AI employees real access to your systems — so the controls that govern what they can do, who approves it, and how it is recorded are the product, not a footnote. This page sets out the posture we run today. We describe only what we have built.
Security questions? security@usermode.ai
The posture we run today
Grouped by where the risk lives — where the work runs, what an agent is allowed to do, what data we hold, and how it is all evidenced.
Your fleet runs in your own cloud
Each customer is deployed into a dedicated Microsoft Azure environment. There is no shared runtime between clients.
Per-tenant Azure isolation
Every deployment gets its own Azure subscription, resource group, Key Vault and container environment. Tenants do not share compute, storage or secrets.
Default-deny ingress
Services are closed to the public internet by default. Inbound access is permitted only through explicit allowlists scoped to the systems that need it.
OAuth 2.1 gateway
Access to the agent gateway is authenticated with OAuth 2.1 through Microsoft Entra ID — PKCE and signed JWTs, brokered by your own identity provider.
What an agent can do is enforced, not requested
Autonomy is bounded by code. An agent cannot take an action it has not been granted, and sensitive actions stop for a person.
Fail-closed tool policy
A three-layer tool-policy engine evaluates every action before it runs and denies by default. Read-only roles are technically prevented from changing your systems — not just told not to.
Signed outbound grants
Every external send requires an HMAC-SHA256 authorisation that is time-limited and bound to the specific recipient. An expired or mismatched grant is refused at dispatch.
Human approval gates
Spend and sensitive actions pause for a named person before anything leaves the building. The agent acts the moment it has the go-ahead, and not before.
We hold as little of your data as the work allows
Operator logs are written to be safe to read. Untrusted inbound content is treated as hostile by default.
Redacted logs
Agent memory content, queries and personal data are not written to operator logs. Diagnostics are designed to be safe to read without exposing what an agent saw or stored.
We never train on your data
Your operational data is used to do your work — nothing else. We do not train models on your data, and we do not pool it across tenants.
Prompt-injection sandboxing
Untrusted inbound content — emails, documents, web pages — is sandboxed so instructions hidden inside it cannot escalate an agent's permissions or trigger actions on their own.
Every action is recorded and every change is checked
What an agent did is attributable and durable. What we ship is scanned for secrets, vulnerabilities and broken guardrails before it reaches you.
Tamper-evident audit ledger
Every action is attributed and written to an append-only, tamper-evident security-event ledger with 90-day retention. The record cannot be quietly rewritten.
Secrets and code scanning in CI
Gitleaks and CodeQL run in our continuous-integration pipeline, blocking leaked credentials and known vulnerability classes before a change is merged.
Automated guardrail tests
End-to-end contract tests exercise the safety guardrails on every change, so a regression that would weaken a control fails the build rather than reaching production.
Honest about what we hold today
We will not claim a certification we have not earned. Here is exactly where we stand: the certified infrastructure we build on, and the assurances we are working towards.
Inherited from Microsoft Azure
InheritedUsermode runs entirely on Microsoft Azure, whose data-centre infrastructure is independently certified. These are the platform’s certifications, which our hosting inherits — they are not certifications of Usermode itself.
- ISO/IEC 27001
- ISO/IEC 27017
- ISO/IEC 27018
- SOC 1, 2 & 3
Microsoft publishes the current scope of these certifications in the Azure compliance documentation.
On our roadmap
PursuingWe are building towards our own formal attestation. A SOC 2 examination is on our roadmap. Until we hold it, we will not imply that we do.
If you are evaluating Usermode against a specific control framework, we are happy to walk your security team through our architecture, data flows and the controls described above.
Talk to our team about security
Bring your security questionnaire, your control framework, or your hardest 'what if'. We'll walk your team through the architecture, the data flows and the controls — in detail.