TRUST CENTER
Posture, certifications, and the paper trail.
The Trust Center documents AgentAnywhere's security and compliance posture for the people who have to underwrite it. Certifications. Sub-processors. Data residency. Encryption. Incident response. The mappings, frameworks, and reports your team needs to clear the platform for production.
Certifications and frameworks.
The four named certifications below describe the AgentAnywhere platform itself. Sovereign deployment ensures your specific deployment inherits these properties under your governance. Reports are available under NDA.
SOC 2 Type II
Annual audit covering security, availability, processing integrity, confidentiality, and privacy. Report available under NDA on request through this page's CTA.
ISO 27001
Information security management system certified against ISO/IEC 27001. Statement of applicability and audit summary available under NDA.
HIPAA
Administrative, physical, and technical safeguards documented for healthcare deployments. Business Associate Agreement available; covered-entity attestation on request.
GDPR
Data-subject mechanisms (access, rectification, erasure, portability) implemented across EU deployments. Data Processing Addendum available; sub-processor list maintained on this page.
RBI FREE-AI alignment.
AgentAnywhere maps to all twenty-six recommendations of the Reserve Bank of India's Framework for Responsible and Ethical Enablement of AI (FREE-AI). The mapping is maintained as a living document — every recommendation is paired with the platform mechanism that implements it, the artifact in your deployment that evidences it, and the audit query a regulator can run to verify it.
The full mapping is available under NDA, refreshed as RBI updates the framework. For the public framework overview, see the Governance page. For a working session with your compliance team and ours, use the CTA at the foot of this page.
Data residency and encryption.
Sovereign deployment is the architectural foundation that makes the rest of this page meaningful. The platform deploys inside your perimeter; data residency and encryption posture are configurations of your deployment, not policies we manage on your behalf.
Data residency
AgentAnywhere runs where you run it. Indian financial deployments target `ap-south-1` or `centralindia`. EU healthcare deployments target `eu-central-1` or `westeurope`. Public-sector deployments run on your tenant or your hardware, in your facility.
The platform has no implicit cross-region traffic. Multi-region replication is opt-in, configured per deployment, and visible in the deployment topology document.
Encryption
Data at rest is encrypted using your KMS — AWS KMS, Azure Key Vault, GCP Cloud KMS, HashiCorp Vault, or your hardware HSM. We do not manage your keys.
Data in transit between platform components is encrypted using TLS 1.3 with mutual authentication. External traffic terminates at the ingress controller of your choice.
Customer data never transits ShepHertz infrastructure under any circumstance, including during support sessions.
Sub-processors.
The platform runtime has no third-party sub-processors that touch customer data. Operational sub-processors below are scoped to corporate functions of ShepHertz Technologies — not to the runtime environment of any customer deployment. Updates are notified per your DPA.
Corporate productivity
Email, calendar, and document collaboration for ShepHertz employees only. No customer data is processed in these systems.
CRM and pipeline
Sales pipeline, contact management, and lead routing for ShepHertz only. Customer prospect data is processed under our published privacy policy.
Support ticketing
Internal ticket system for ShepHertz support engineers. Customer data is referenced only by case identifier and never copied into ticket bodies.
Telemetry analytics
Anonymized, opt-in platform telemetry processed by Plausible Analytics on EU infrastructure. Disabled in customer deployments by default.
Incident response and reporting.
Disclosure posture
Security incidents that affect a customer's deployment are disclosed to that customer first, in writing, within the timelines required by their DPA.
When a vulnerability affects a class of customers, all affected customers are notified before any public disclosure. We do not publish a vulnerability before customers have remediation guidance.
Coordinated disclosure with security researchers is welcomed. Contact path on the CTA below.
Operational reporting
Status page with component-level health and historical incident records, scoped per customer deployment, refreshed continuously.
Quarterly trust reports summarizing certification status, sub-processor changes, and material policy updates. Available to customers under their DPA.
Annual penetration test summary, available under NDA.
Contact the security and compliance team.
Use this path for security questionnaires, DPA execution, sub-processor change reviews, certification report requests, RBI FREE-AI mapping access under NDA, or to coordinate a vulnerability disclosure. Routed to ShepHertz Security and Compliance with copy to Solutions Architecture.