Trust

Security

AgentDraft is built around least-privilege agent keys, deterministic conflict resolution, and append-only audit evidence.

AgentDraft secures AI scheduling agents with least-privilege API keys scoped to availability and booking actions, TLS in transit, and encryption at rest — with an extra application-layer pass over Google OAuth tokens and argon2id-hashed agent keys. Every booking decision writes an immutable audit event, and an external status feed reports live uptime. Vulnerability reports can be sent to security@agentdraft.io.

Updated

Data boundaries

Agent API keys are scoped to availability and booking actions. Dashboard actions require a human session.

Encryption

All traffic is encrypted in transit with TLS. Stored data is encrypted at rest, Google OAuth tokens are additionally encrypted at the application layer before they reach the database, and agent API keys are stored only as argon2id hashes.

Google user data

AgentDraft's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Google user data is used only to provide and improve user-facing scheduling functionality, security, and support — never for advertising, model training, or unrelated product analytics.

Auditability

Every booking decision writes an immutable audit event so teams can explain what happened after a collision.

Vulnerability reports

Send security reports to security@agentdraft.io. Include the affected endpoint, SDK, or page, the steps to reproduce, and the likely impact. Do not send secrets or customer data.

Incident notification

If AgentDraft determines that a security incident affects a customer's account, calendar data, mailbox data, or credentials, we will notify affected customers using account or workspace contact information and provide the information reasonably available at the time.

Security review

Teams evaluating AgentDraft can request current subprocessor, architecture, and control details at hello@agentdraft.io.

Compliance posture

SOC 2 controls are being documented; a formal Type II audit is planned. Enterprise controls such as SSO, SCIM, and custom retention are planned for the enterprise tier.

Frequently asked

How does AgentDraft secure agent API keys?

Each agent key is scoped to availability and booking actions only — never dashboard or billing access — and is stored solely as an argon2id hash, so a database leak never exposes a usable key. Dashboard actions require a separate human session, and every key's actions are recorded in the audit log.

Is my calendar and OAuth token data encrypted?

Yes. All traffic is encrypted in transit with TLS and all stored data is encrypted at rest. Google OAuth tokens get an additional application-layer encryption pass before they reach the database, and production secrets live in a managed secrets store under least-privilege access.

How can I verify what an agent did after a scheduling conflict?

Every booking decision writes an immutable, append-only audit event, so you can reconstruct exactly which agent won a slot and why after any collision. AgentDraft also publishes a live status feed, probed from outside our network, at status.agentdraft.io.

How do I report a vulnerability?

Email security@agentdraft.io with the affected surface, reproduction steps, impact, and any safe proof of concept. Please do not include secrets, customer data, or destructive exploit output.