Product
Pricing
Blog
About

Security

Last updated: April 1, 2026

This page describes how SPAWN, operated by Bixblues Technologies, protects your data, credentials, and agent infrastructure. We aim to be transparent about what we do and honest about what is still in progress.

1. Infrastructure

SPAWN runs on Amazon Web Services (AWS). Our infrastructure includes:

  • Compute and container orchestration for agent workloads, deployed within AWS Virtual Private Clouds (VPCs) with network-level isolation.
  • PostgreSQL databases for persistent storage of user accounts, agent configurations, chat history, agent memories, and audit logs.
  • Redis for ephemeral caching and real-time communication between services.
  • AWS Bedrock for LLM inference, providing access to Anthropic Claude, Amazon Nova, Google Gemini, Meta Llama, and Mistral models.

All inter-service communication within our infrastructure uses private networking. Public-facing endpoints are served over HTTPS.

2. Encryption

  • In transit: All data transmitted between clients and our servers is encrypted with TLS 1.3.
  • At rest (credentials): OAuth tokens, BYOK API keys, and other sensitive credentials are encrypted using AES-256-GCM before being written to the database. Encryption keys are managed separately from the encrypted data.
  • At rest (database): PostgreSQL databases use AWS-managed encryption at rest.
  • Password hashing: User passwords (where applicable) are hashed using PBKDF2 via Keycloak.

3. Authentication

User authentication is handled by Keycloak, an open-source identity and access management system. Keycloak provides:

  • OAuth 2.0 and OpenID Connect-based login flows.
  • Session management with configurable timeouts.
  • Support for social login providers.
  • Password policies including minimum complexity requirements.

4. Agent Isolation

Each agent runs in its own isolated Docker container. This means:

  • Agents cannot access other users' containers, data, or credentials.
  • Agent processes are sandboxed with limited filesystem and network access.
  • Containers are ephemeral and destroyed after use. No persistent state leaks between agent sessions.
  • Agent containers have resource limits (CPU, memory) to prevent runaway processes.

5. Credential Management

5.1 OAuth Tokens

When users connect third-party services (Gmail, Slack, Notion, HubSpot, GitHub, etc.), the OAuth flow is managed by a self-hosted Nango instance running within our own infrastructure. OAuth tokens never leave our infrastructure for storage. Tokens are encrypted with AES-256-GCM before being persisted. Token refresh is handled automatically by Nango.

5.2 BYOK API Keys

Users who bring their own LLM API keys have those keys encrypted with AES-256-GCM and stored in our database. Keys are decrypted only at runtime within isolated agent containers, used for the API call, and not retained in memory beyond the request lifecycle. Keys are never logged or included in error reports.

6. Access Controls

  • Multi-tenancy: SPAWN uses organization-based multi-tenancy. All data (agents, chat history, credentials, memories) is scoped to the user's organization. There is no cross-organization data access.
  • Role-based access control (RBAC): Within an organization, access is controlled by user roles.
  • Internal access: Access to production databases and infrastructure is restricted to authorized personnel and requires authentication. All access is logged.

7. Audit Logging

We maintain audit logs for security-relevant events, including:

  • User login and logout events.
  • Agent creation, modification, and deletion.
  • OAuth connections added or revoked.
  • Agent task executions and their outcomes.
  • Administrative actions on the platform.

Audit logs are retained for up to 24 months and are accessible to organization administrators.

8. Spending Controls

SPAWN provides per-agent spending limits to help users control costs and prevent runaway usage:

  • Each agent can have a configurable message limit.
  • Organization-level quotas enforce plan-based message allocations.
  • When limits are reached, agents are paused rather than allowed to continue incurring costs.
  • Usage dashboards provide visibility into consumption across agents.

9. Vulnerability Disclosure

If you discover a security vulnerability in SPAWN, please report it to us responsibly. Do not publicly disclose the vulnerability before we have had a chance to address it.

Report security issues to:

support@spawnagents.io

We aim to acknowledge reports within 24 hours and provide a resolution timeline within 72 hours.

10. Compliance Status

We are transparent about where we stand on compliance:

  • SOC 2 Type II: In progress. We are working toward SOC 2 Type II certification but have not yet completed the audit. We will update this page when certification is achieved.
  • GDPR: We implement data protection practices consistent with GDPR principles, including data minimization, user rights (access, deletion, portability), and data processing agreements with sub-processors.
  • Data residency: Our infrastructure runs on AWS. Users should be aware that data may be stored and processed in AWS regions outside their country of residence.

We do not currently hold ISO 27001, HIPAA, or PCI DSS certifications. If your organization requires specific compliance certifications, please contact us at support@spawnagents.io to discuss your requirements.

11. Contact

For security-related questions or concerns, contact us at:

Bixblues Technologies

Email: support@spawnagents.io

Website: https://spawnagents.io