Security
Effective: 2026-07-04
The Operator works inside your business, so its security posture has to survive your scrutiny, not just ours. This page describes the controls as they are actually built. Where we hold no certification, we say so. Where a specific commitment belongs in your agreement rather than on a marketing site, we tell you which document carries it.
The control that matters most
Your systems remain the system of record. The Operator reads and writes through the same authorized channels a staff member would use, holds data transiently to do the task in front of it, and returns the output to you or to your system. We do not warehouse copies of your business data. What we do store, on infrastructure dedicated to your account alone, is limited to your encrypted connection credentials, your authored configuration, and the audit record of everything your Operator did.
One client, one machine
Every client runs on a dedicated, isolated compute instance with its own private volume. There is no shared application tier and no shared data store between clients. A different client's data lives on a different machine entirely, so cross-client exposure is prevented by architecture, not by an access check that could fail. Our own console cannot query across client machines; that prohibition is enforced in code and checked in our build pipeline.
Credential custody
Connection credentials for your systems are stored only on your machine's encrypted volume, with file permissions restricted to the single process that needs them. They are never written to logs, never placed in a shared store, and never visible to other clients. The most sensitive credentials are held by a separate broker process the agent itself cannot read, so even a compromised agent cannot extract them. You choose per connection whether we hold credentials on your behalf or you hold them yourself.
Fail-closed authority
The Operator's permission model defaults to refusal. Consequential action classes, including sending externally, making commitments, and deleting anything, are refused unless you have explicitly authorized them for your account. An unconfigured Operator can read and draft but cannot act on the world. Untrusted inbound content, such as an email from outside your firm, is structurally fenced so instructions hidden inside it cannot drive privileged actions. A content gate blocks fabricated or unsupported output before any send. A spend circuit breaker halts a runaway agent and stays halted until a human clears it.
The audit record
Every action your Operator takes is written to an append-only audit log owned by a privileged process the agent cannot modify. Your Operator cannot rewrite or delete its own history. You can read this record in your client portal at any time, and you can request an evidence packet for compliance or dispute purposes. Access granted to your staff through outside tools is authorized per request against a live grant table, so revoking a person's access takes effect on their next call, not at some future expiry.
What we store, what we return, what we destroy
Stored on your dedicated infrastructure: encrypted connection credentials, your authored configuration, the operational memory your Operator builds doing your work, and the audit record. Stored on our control plane: your account records, billing records, and governance summaries of Operator activity. Not stored anywhere: copies of your practice or business data, which stays in your systems.
When an engagement ends, you receive your audit record and operational memory in exportable form, credentials are revoked, and your dedicated infrastructure is destroyed. The mechanics and windows for return and destruction are specified in your agreement and data processing addendum.
Sub-processors
We keep the set of vendors that can touch your data deliberately small, and each is independently audited even though we are not yet.
- Fly.io hosts your dedicated machine and its encrypted volume. SOC 2 Type II.
- Anthropic provides the language model. Task content passes through its API transiently when your Operator works, and under its commercial terms is not used to train models. SOC 2 Type II.
- Cloudflare runs our control plane, the client portal, and the governance record store. SOC 2 and ISO 27001 attested.
- AgentMail provides your Operator's own mailbox when the engagement includes one, so its email never mixes with your staff's accounts.
- Stripe (billing), Clerk (portal sign-in), SignWell (document signing), and Resend (transactional email) handle account, identity, and commerce data, not your operational business data.
A current list with each vendor's role and attestations ships with your data processing addendum, and we notify you before adding a sub-processor that would touch your data.
What we do not claim
SMD Services does not currently hold ISO 27001 or SOC 2 certification of its own. We are a small firm whose controls derive their strength from architecture rather than from process volume, and we would rather show you the actual controls than imply a certificate we do not have. Our material sub-processors are independently SOC 2 audited, and we will walk your reviewer through any control on this page with supporting evidence.
Development and review
Every change to the platform goes through pull-request review with automated security gates: dependency vulnerability scanning, secret detection across full history, and static analysis. Security reviews run on a recurring cadence against a maintained threat model, and we conduct periodic in-depth adversarial audits with live exploit verification and tracked remediation.
Incidents and questions
Security incidents affecting your data or access are reported to you within the notification windows defined in your agreement, investigated by us within the platform, and tracked to resolution with regular updates. For security questions, reviewer walkthroughs, or evidence requests, write to team@smd.services.