Get in touch

Security

How we protect
your data inside your perimeter.

Our security posture is the foundation of the platform, not a feature we ship alongside it. This page is a plain-language summary of how we build, operate, and respond.

Trust Center Report a vulnerability
Security principles

Four habits
everything flows from.

01

Defence in depth

Multiple, independent layers of control, network, identity, application, and data, each with its own monitoring and fail-safe defaults.

02

Least privilege

Every identity, human or agent, operates under the smallest set of permissions that lets the task succeed. Elevation is explicit, timeboxed, and recorded.

03

Zero-trust execution

No implicit trust between services, regions, or agents. Every call is authenticated, signed, and policy-checked by the platform before it leaves.

04

Evidence by default

Every sensitive decision creates evidence automatically, not as an afterthought, not as a separate pipeline.

How we practice it

From the editor to the ops channel.

Engineering practices

  • Secure-by-default libraries and templates.
  • Signed artifacts and provenance across the build pipeline.
  • Independent security review on every material change.
  • Formal threat modelling at feature inception.

Operations

  • 24/7 security operations coverage.
  • SLA-tracked patching and dependency management.
  • Tested incident-response playbooks and quarterly drills.
  • Regional pen-testing by independent third parties.

Data handling

  • Encryption in transit and at rest as a platform default.
  • Data-residency controls honoured at ingestion.
  • Customer-managed keys where contracts require.
  • Data-retention policies enforced in code, not by convention.
Agentic AI safety

Autonomy with
explicit guardrails.

Agents get the least authority needed to finish the task. Every action routes through the policy engine; every output is recorded with its inputs, intent, and decision rationale. Model choice is orthogonal, we isolate the model from the workflow so you can substitute, upgrade, or retire it without rewriting the control plane.

Human-in-the-loop checkpoints are first-class citizens of the workflow DSL, not bolted-on approval emails. When a regulator or an internal oversight team needs to reconstruct what happened, the evidence is already there, signed, and exportable.

Responsible disclosure

Found a vulnerability? Tell us securely.

Report security issues to security@global.ai. PGP key on request. We acknowledge reports within 24 hours and work in good faith under a coordinated disclosure process.

Report a vulnerability Trust Center