← Back Security

Security at Gavrun.

Last updated: June 2026

Security is foundational to what Gavrun does. We govern agent actions — which means we hold decision records, policy configurations, and audit trails that must be protected with the same rigour we apply to the data they safeguard.

Data in transit

All communication between Langman, Gavrun, and the console is encrypted with TLS 1.2 or higher. No decision data is transmitted over unencrypted channels.

Data at rest

Decision records, policy configurations, and audit logs are encrypted at rest. Access is scoped by workspace and credential — no cross-tenant data access is possible.

Credentials and API keys

Workspace keys are scoped to a single agent identity. Keys are hashed at storage — we cannot retrieve them after issuance. Rotate any key immediately from the dashboard if it is compromised.

Access control

  • Role-based access — company admins, team admins, and read-only members have distinct permission scopes.
  • All sign-in is authenticated via email verification or Google federation.
  • Sessions are time-limited and revocable.

Zumie Gateway (self-hosted)

When deployed via Zumie Gateway on AWS, all decision data stays inside your own VPC. No call payload leaves your environment. You retain full control over encryption keys, network boundaries, and data residency.

Vulnerability disclosure

If you discover a security vulnerability in Gavrun, please report it to [email protected]. We aim to acknowledge reports within 48 hours and resolve critical issues within 14 days.

Compliance

Gavrun is working toward SOC 2 Type II certification. GDPR-aligned data handling is in place for all preview customers. Contact us for specific compliance questions.