Security

The most effective security control in Agentlens is the data model: we don't collect what we'd have to protect. No cookies, no identifiers, no sessions, no raw IP addresses at rest. What follows is how we protect the little we do hold.

Compliance status

SOC 2 Type II: in progress. We are building toward a SOC 2 Type II report and will update this page when the audit completes. We do not currently hold a SOC 2, ISO 27001, or similar certification, and we won't imply otherwise — if a page anywhere on this site suggests we do, that's a bug, and we'd like to hear about it.

No PII by design

• The snippet sets no cookies and does no fingerprinting; visits are counted, not people.
• IP addresses are used once at ingest for agent classification, hashed with SHA-256 and a per-site salt, and the raw value is discarded. Hashes cannot be reversed practically or correlated across sites.
• Referrers are reduced to hostnames; user agents are truncated; human pageviews are stored only as aggregate counts.
• The result: a breach of our event store would expose page paths and bot statistics — not people.

Encryption

• In transit: TLS 1.2+ on every connection — browser to ingest, server to database, service to service. Plain HTTP is never accepted.
• At rest: all stored data, including the event store and account database, is encrypted at rest by our infrastructure providers (AES-256).
• Passwords are stored as salted hashes via our auth framework; we never see or store plaintext passwords.

Access control

• Least privilege: production access is limited to the people who operate the service, scoped to what their role requires, and reviewed when roles change.
• Administrative access to infrastructure requires multi-factor authentication.
• Site keys (al_…) authorize ingestion only — a leaked key lets someone send you junk events (rate-limited per key), never read your data. Dashboard access always requires your account session.
• Customer data is accessed for support only with your request, and that access is logged.

Application and infrastructure

• Hosted on managed, SOC 2-audited cloud infrastructure (see the subprocessor list); we inherit their physical and network security controls.
• Ingestion is rate-limited per site key and validated before any write; over-quota traffic is counted and dropped, never silently expanded.
• Dependencies are monitored for known vulnerabilities and patched as part of normal deploys; deploys are atomic and reversible.
• Backups are automated and encrypted; restores are tested.

Incident response

If we become aware of a breach affecting your data, we will notify you without undue delay — no later than 72 hours after we become aware — with what we know, what it affects, and what we're doing about it. The format is an email from a human, not a banner ad for our transparency.

Reporting a vulnerability

Found something? Email security@agentlens.1labs.ai with steps to reproduce. We read every report, respond within 3 business days, and won't take legal action against good-faith research that avoids privacy violations, data destruction, and service disruption. Please give us reasonable time to fix before disclosing publicly.

Questions

Security questionnaires and DPA requests: privacy@agentlens.1labs.ai · Contact page. Agentlens is a product of One Infinity Labs, Inc.