Security posture
Server-side secret boundaries, protected access patterns, webhook verification, and documented production-hardening practices.
Trust Center
Security, AI governance, and operational trust for AgentFlow Enterprise.
AgentFlow Enterprise is built as a secure AI RevOps infrastructure platform with documented payment lifecycle controls, Supabase-backed access boundaries, audit-aware operations, and a roadmap toward enterprise-grade governance.
AI RevOps securitySupabase RLSPayPal lifecycleAudit readinessData protection
Trust overview
A public map of the platform's trust posture.
The AgentFlow Enterprise Trust Center centralizes evidence-based information for B2B buyers, auditors, technical evaluators, and future customers assessing enterprise SaaS readiness.
AI governance
Bounded qualification workflows, human review expectations, data minimization, and an evolving control roadmap.
Payment lifecycle
PayPal subscriptions, server-side plan configuration, lifecycle webhooks, and reviewed invoice fallback paths.
Data protection
Supabase-backed application data, provider-aware processing, privacy processes, and server-only privileged credentials.
Audit readiness
Evidence-oriented documentation, lifecycle records where implemented, and a roadmap for exportable audit history.
Operational support
Documented support channels, release validation, incident-response principles, and agreement-based enterprise review.
Security controls matrix
Current controls, operating conditions, and roadmap boundaries.
Status labels distinguish implemented capabilities from controls that require continuing verification, customer-specific configuration, or future delivery.
| Control Area | Current Status | Notes |
|---|---|---|
| Authentication | Implemented | Supabase Auth powers user identity and protected access where configured. |
| Tenant isolation / RLS | Implemented / continuously verified | Supabase Row Level Security principles are documented and should continue to be tested for tenant isolation. |
| Payment lifecycle | Implemented | PayPal subscriptions, webhook handling, confirmation routes, and manual invoice fallback are documented. |
| Webhook verification | Implemented where configured | The PayPal webhook ID and server-side verification must be configured and verified in Vercel. |
| Secret hygiene | Implemented | Secrets remain in Vercel, Supabase, PayPal, or provider dashboards and must never enter public source. |
| AI governance | Documented / evolving | AI qualification boundaries, human review, and data handling are documented as operational controls. |
| Audit trails | Partial / evolving | Billing and lifecycle events are recorded where implemented; exportable audit logs are a recommended next step. |
| Data retention | Documented | Retention, deletion, and export principles are documented and should be reviewed against each customer agreement. |
| Enterprise SSO | Planned | Okta, Microsoft Entra ID, and Google Workspace SSO are future enterprise controls, not active claims. |
| SOC 2 / ISO 27001 | Not certified / readiness roadmap | Formal assurance programs remain a future readiness path and are not represented as completed certifications. |
AI governance
Bounded AI assistance with reviewable operating principles.
AI lead qualification security depends on minimizing inputs, constraining outputs, preserving human review, and documenting which provider controls are active versus planned.
Documented principles
- Customer data should not be used to train public models by design and policy; provider terms and production configuration must be reviewed before enabling a workflow.
- AI lead qualification should remain bounded, auditable, and reviewable by an accountable human operator.
- Sensitive and unnecessary personal data should be excluded from prompts and operational records.
- Outputs are decision support, not autonomous legal, financial, employment, or similarly consequential judgment.
- Prompt scope, result fields, failures, and overrides should be testable through documented evaluations and operating procedures.
Planned enterprise controls
Provider choice without overstating current capability.
- Customer-selected AI provider and deployment policy.
- Azure OpenAI support where commercial and technical requirements justify it.
- Bring your own key with secure, server-side secret storage and rotation procedures.
- Approval workflows for sensitive or high-impact actions.
- Repeatable AI evaluations for quality, safety, drift, and regression review.
Provider selection, Azure OpenAI, and bring-your-own-key are roadmap items and are not presented as active controls.
Data protection and processing
Provider-aware processing with minimized operational data.
The platform documents where application, subscription, and AI workflow data may be processed while keeping privileged credentials outside public and browser-accessible code.
- Supabase stores application data and provides authentication; Supabase RLS is the documented tenant-isolation principle.
- PayPal processes subscription and payment events for the active subscription lifecycle.
- AI providers may process prompt inputs for qualification workflows where those workflows are enabled.
- Operational data should be minimized, and customers should avoid submitting unnecessary sensitive data.
- Supabase service-role keys are server-only; provider secrets are handled through environment variables.
- Billing and subscription lifecycle state is stored and evaluated server-side.
- Database migrations should be reviewed before production deployment, and audit or event tables should support traceability where available.
- Deletion and export requests follow the privacy process and applicable customer agreement.
Payment lifecycle trust
Documented PayPal subscriptions with reviewed fallback paths.
Commercial access depends on confirmed payment state or a reviewed manual onboarding process; payment logic remains server-side and provider-aware.
- PayPal is the active subscription provider.
- PayPal plan IDs are configured server-side through Vercel environment variables.
- The webhook route verifies and records relevant subscription lifecycle events where configured.
- Manual invoice and bank transfer remain fallback paths for reviewed onboarding.
- Service activation begins after payment confirmation or commercial review.
- Refunds and cancellations are governed by the published refund policy and any signed agreement.
Operational readiness
Release, monitoring, and support practices without a false SLA.
AgentFlow Enterprise is deployed through Vercel and includes monitoring integration points, incident-response documentation, and release validation practices that must be configured and verified for each production environment.
Deployment
Vercel deployment with environment-scoped configuration and server-side secrets.
Observability
Sentry and analytics integration points exist; production alerts and evidence require verification.
Incident response
Documented triage, containment, communication, recovery, and review principles.
Release assurance
Lint, build, relevant tests, rollback, and redeploy procedures support release review.
| Plan | Channel | Response Target | Notes |
|---|---|---|---|
| Solo | Standard support | Best effort | Suitable for independent founders |
| Growth | Priority review | Faster operational review | Suitable for growing teams |
| Enterprise | Dedicated commercial review | Agreement-based | Requires audit and invoice process |
Target response windows are operational guidelines and may vary until a formal enterprise agreement is signed. No contractual uptime commitment is represented on this page.
Due diligence readiness
A practical checklist for technical and procurement review.
The following evidence areas support structured review and should be validated against the deployed environment, current provider dashboards, and signed commercial terms.
Repository hygiene
Environment variable hygiene
Payment lifecycle verification
Supabase migration review
RLS and tenant isolation testing
Webhook verification
Audit log roadmap
Security policy review
DPA and subprocessor review
Technical book review
Roadmap transparency
Current capability, next priorities, and future controls.
Roadmap items communicate direction, not delivery guarantees. Scope and timing may change after security, technical, and commercial review.
Current
- PayPal subscriptions
- Manual invoice and bank transfer
- Technical book
- Public trust documentation
- Support and payment pages
Next
- Exportable audit logs
- ROI dashboard
- AI evals
- Real workflow notifications
- RBAC read-only auditor role
Future
- Enterprise SSO
- Customer-selected AI provider
- Advanced admin controls
- External SIEM export
- Formal SOC 2 / ISO readiness program
Trust disclaimer
Documentation supports review; formal commitments require agreement.
This Trust Center documents current controls, architecture decisions, and roadmap direction. It does not represent a completed certification, legal guarantee, investment instrument, or enterprise procurement approval. Formal enterprise commitments require a signed agreement, security review, and commercial onboarding process.