> ## Documentation Index
> Fetch the complete documentation index at: https://docs.agnost.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Security & Trust

> Security, privacy, and procurement guidance for Agnost AI

Agnost is a production telemetry and analytics system for AI agents. That means it can receive prompts, completions, tool calls, metadata, user identifiers, and errors from your application. Treat the integration as a third-party data processor and decide what data should leave your system before enabling production traffic.

## Current security posture

This public page is intentionally conservative. It documents what customers can rely on from these docs without assuming controls that are not stated here.

| Area                 | Public guidance                                                                                                                                                                    |
| -------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Transport            | Use the HTTPS endpoints shown in these docs: `https://api.agnost.ai` and `https://otel.agnost.ai/v1/traces`.                                                                       |
| Ingestion scope      | SDK ingestion uses your organization ID as a routing identifier. It does not grant dashboard read access by itself.                                                                |
| Dashboard/API access | Dashboard APIs require a JWT or API key. See [Authentication](/authentication).                                                                                                    |
| Sensitive data       | Agnost does not currently provide automatic PII redaction/DLP before ingestion. Redact or pseudonymize before sending.                                                             |
| Regulated data       | Do not send HIPAA, PCI, government ID, full job application, resume, children's data, or other regulated data unless your team has an explicit agreement and data-processing plan. |
| Security review      | For current security questionnaires, subprocessors, DPA requests, or compliance status, contact [founders@agnost.ai](mailto:founders@agnost.ai).                                   |

## Customer-side controls

Use these controls before production rollout:

* Use stable pseudonymous user IDs instead of raw names, emails, or phone numbers when possible.
* Allowlist metadata keys.
* Redact secrets, API keys, access tokens, passwords, private keys, and auth headers.
* For MCP integrations, set `disable_input` / `disable_output` or `disableInput` / `disableOutput` if tool args or results may contain sensitive data.
* For OpenTelemetry integrations, review which message, prompt, completion, tool parameter, and tool result attributes your framework exports.
* Run one staging trace and inspect the raw event before enabling broad production traffic.

## Procurement notes

If your buyer asks about data governance, the honest answer is:

> Agnost can process production conversation data, so customers control what they send. The docs recommend pseudonymization, metadata allowlisting, and redaction before ingestion. Automatic PII redaction before ingestion is not currently documented as a built-in feature.

For formal procurement, request the current security packet from [founders@agnost.ai](mailto:founders@agnost.ai).

## Related pages

* [Data Governance](/data-governance)
* [Authentication](/authentication)
* [Technical Architecture](/architecture)
