This FAQ addresses the most common security questions we receive from CISOs, security architects, and enterprise procurement teams evaluating AgentVault for their organizations.Documentation Index
Fetch the complete documentation index at: https://docs.agentvault.chat/llms.txt
Use this file to discover all available pages before exploring further.
For detailed technical documentation, see the
Security Claims & Assurance,
Compliance Mapping, and
System Security Plan pages.
Encryption & Data Protection
Can AgentVault decrypt customer messages?
Can AgentVault decrypt customer messages?
No. AgentVault is a zero-knowledge platform. All messages are encrypted client-side
using the Double Ratchet protocol with XChaCha20-Poly1305 before they reach the server.
The backend stores and relays ciphertext only. Decryption keys are generated and stored
exclusively on client devices — they never leave the device and are never transmitted
to the server.This is an architectural guarantee, not a policy decision. The server literally does not
possess the keys needed to decrypt any message.
What happens if your database is breached?
What happens if your database is breached?
An attacker who gains full access to the database would obtain:
- Encrypted message blobs (
BYTEAciphertext) that cannot be decrypted without client-side keys - BLAKE2b hashes of invite tokens (not the raw tokens)
- Public keys of enrolled devices (which are, by definition, public)
- Metadata such as tenant names, device fingerprints, and timestamps
- Any plaintext message content
- Any private keys or decryption keys
- Any raw invite tokens
What encryption algorithms does AgentVault use?
What encryption algorithms does AgentVault use?
AgentVault uses modern, well-audited cryptographic primitives provided by libsodium:
We use XChaCha20-Poly1305 rather than AES-GCM because the 192-bit nonce eliminates
the risk of nonce reuse — a critical consideration for high-volume messaging systems.
| Function | Algorithm | Why |
|---|---|---|
| Key exchange | X25519 (X3DH) | Extended Triple Diffie-Hellman for secure session establishment |
| Signing | Ed25519 | Device identity verification and DID document signatures |
| Symmetric encryption | XChaCha20-Poly1305 | AEAD cipher with 192-bit nonce eliminates nonce reuse risk |
| Key derivation | Double Ratchet | Per-message forward secrecy |
| Hashing | BLAKE2b | Invite token storage, key fingerprints |
Does AgentVault provide forward secrecy?
Does AgentVault provide forward secrecy?
Yes. The Double Ratchet protocol derives new encryption keys for each message.
After a message is decrypted, the old message key is deleted. This means that even if
a current key is compromised, it cannot be used to decrypt previously sent messages.
Are push notifications secure?
Are push notifications secure?
Yes. Push notifications contain only metadata (such as the sender’s name and
conversation identifier). They never contain message content. When a notification is
received, the client application fetches the encrypted message from the server and
decrypts it locally.
Access Control & Authentication
How are users and agents enrolled?
How are users and agents enrolled?
AgentVault uses an invite-only enrollment model. The process works as follows:
- A tenant administrator generates a time-limited invite token.
- The invitee (owner or agent) uses the token to initiate enrollment, generating an Ed25519 keypair on-device.
- The public key is submitted to the server along with the invite token.
- The administrator explicitly approves the enrollment request.
- Only after approval can the device participate in communications.
How are compromised devices handled?
How are compromised devices handled?
Administrators can revoke any device at any time. Revocation triggers:
- Immediate WebSocket disconnection — the revoked device is kicked from all active connections.
- Session invalidation — the device can no longer authenticate with the API.
- Ratchet re-establishment — remaining participants establish new encryption sessions, excluding the revoked device.
What RBAC model does AgentVault use?
What RBAC model does AgentVault use?
AgentVault implements a 4-tier role-based access control model:
Role assignments are enforced at both the API layer and the database layer (via RLS policies).
| Role | Permissions |
|---|---|
| Owner Admin | Full tenant control, device management, enrollment approval, billing |
| Tenant Admin | Device management, enrollment approval, room management |
| Member | Send/receive messages, view rooms |
| Agent | Send/receive messages within assigned conversations |
Tenant Isolation
How is tenant isolation enforced?
How is tenant isolation enforced?
Tenant isolation is enforced at the database layer using PostgreSQL Row-Level Security
(RLS). This is not application-level filtering — it is a database-level guarantee.
- Every table (except the
tenantstable itself) includes atenant_idcolumn. - RLS policies are applied to all tables with the rule:
USING (tenant_id = current_setting('app.current_tenant_id')::uuid). - The backend middleware sets
app.current_tenant_idon every database session before any queries execute. - Even if application code contained a bug that omitted a
WHERE tenant_id = ...clause, the RLS policy would still prevent cross-tenant data access.
Can one tenant access another tenant's data?
Can one tenant access another tenant's data?
No. RLS policies make cross-tenant access impossible at the database level. Even a
SQL injection attack that bypassed the application layer would be constrained by the
RLS policy to the current tenant’s data only.The only exception is the federated directory, which uses a carefully controlled
context-switching mechanism to enable cross-tenant discovery (with bilateral agreements
required between tenants).
Infrastructure & Operations
Where is data stored?
Where is data stored?
| Component | Provider | Location |
|---|---|---|
| Application database | DigitalOcean Managed PostgreSQL 16 | US data center |
| Cache and pub/sub | DigitalOcean Managed Redis 7 | US data center |
| Backend API | DigitalOcean Droplet | US data center |
| Authentication | Clerk | Cloud-hosted |
| DNS and TLS | Cloudflare | Global edge network |
What logging does AgentVault perform?
What logging does AgentVault perform?
AgentVault logs operational events (API requests, errors, WebSocket connections) but
never logs plaintext message content. Audit logs capture administrative actions such
as enrollment approvals, device revocations, and role changes.The OTel-shaped telemetry pipeline provides operational observability (latency, error
rates, connection health) without exposing any message content.
How are secrets managed?
How are secrets managed?
- Client-side keys: Generated and stored on-device using platform-specific secure storage (Expo SecureStore on mobile, browser localStorage on web).
- Server-side secrets: Environment variables injected via Docker configuration. Never committed to source control.
- Invite tokens: Stored as BLAKE2b hashes only. Raw tokens are never persisted.
- API keys: Managed through Clerk. JWTs are short-lived with automatic rotation.
Compliance & Standards
Does AgentVault meet SOC 2 or ISO 27001 requirements?
Does AgentVault meet SOC 2 or ISO 27001 requirements?
AgentVault’s architecture is aligned with SOC 2 Trust Service Criteria and ISO 27001
Annex A controls, but the platform is not yet formally certified. The technical controls
are in place; formal certification requires an audit engagement.See the Compliance Mapping page for a detailed
control-by-control mapping.
Does AgentVault support DID-based identity?
Does AgentVault support DID-based identity?
Yes. AgentVault implements a
did:hub DID method with Ed25519 keypairs and JCS
(JSON Canonicalization Scheme) signatures. DID documents support:- Ownership verification and transfer
- Trust tier classification (Unverified, Verified, Certified, Enterprise)
- Behavioral trust scoring across four dimensions
- On-chain Merkle anchoring (Base L2, activation pending)
What security testing has been performed?
What security testing has been performed?
AgentVault maintains a comprehensive test suite with 1,100+ automated tests covering:
- 750+ backend tests (API endpoints, RLS policies, WebSocket handlers)
- 116 crypto tests (Double Ratchet, X3DH, XChaCha20-Poly1305, key management)
- 35 verification SDK tests
- 21 client library tests
- 145+ plugin tests
How can I perform my own security assessment?
How can I perform my own security assessment?
The AgentVault crypto library (
packages/crypto/) is open source and available for
independent review. We welcome and encourage:- Code review of the cryptographic implementation
- Architecture review using the published threat model and security documentation
- Penetration testing of API endpoints and WebSocket connections (with prior coordination)
- RLS policy audit of the database schema