Skip to main content
Agnost is a production telemetry and analytics system for AI agents. That means it can receive prompts, completions, tool calls, metadata, user identifiers, and errors from your application. Treat the integration as a third-party data processor and decide what data should leave your system before enabling production traffic.

Current security posture

This public page is intentionally conservative. It documents what customers can rely on from these docs without assuming controls that are not stated here.
AreaPublic guidance
TransportUse the HTTPS endpoints shown in these docs: https://api.agnost.ai and https://otel.agnost.ai/v1/traces.
Ingestion scopeSDK ingestion uses your organization ID as a routing identifier. It does not grant dashboard read access by itself.
Dashboard/API accessDashboard APIs require a JWT or API key. See Authentication.
Sensitive dataAgnost does not currently provide automatic PII redaction/DLP before ingestion. Redact or pseudonymize before sending.
Regulated dataDo not send HIPAA, PCI, government ID, full job application, resume, children’s data, or other regulated data unless your team has an explicit agreement and data-processing plan.
Security reviewFor current security questionnaires, subprocessors, DPA requests, or compliance status, contact [email protected].

Customer-side controls

Use these controls before production rollout:
  • Use stable pseudonymous user IDs instead of raw names, emails, or phone numbers when possible.
  • Allowlist metadata keys.
  • Redact secrets, API keys, access tokens, passwords, private keys, and auth headers.
  • For MCP integrations, set disable_input / disable_output or disableInput / disableOutput if tool args or results may contain sensitive data.
  • For OpenTelemetry integrations, review which message, prompt, completion, tool parameter, and tool result attributes your framework exports.
  • Run one staging trace and inspect the raw event before enabling broad production traffic.

Procurement notes

If your buyer asks about data governance, the honest answer is:
Agnost can process production conversation data, so customers control what they send. The docs recommend pseudonymization, metadata allowlisting, and redaction before ingestion. Automatic PII redaction before ingestion is not currently documented as a built-in feature.
For formal procurement, request the current security packet from [email protected].