Context

Bedrock

Products

Context WorkspaceAgent execution surfaceContext EngineInstitutional knowledge layerContext EvalsExpert rubrics and learning

Bedrock

Get startedTry the workspace freeDeploy Bedrock todayEnterprise deploymentTalk to our teamBook a demo

Solutions

Technology

SemiconductorsChip design & manufacturingSoftwareDevelopment & productTelecomNetwork ops & infrastructure

Professional Services

ConsultingResearch & deliverablesFinancial ServicesOperations & risk managementLegalContract review & compliance

Operations

IndustrialsManufacturing & qualityBusiness OperationsStreamline workflowsPublic SectorGovernment operations
SecurityCareers
Login

Trust Center

Security architecture

Context deploys autonomous AI agents that execute code, access enterprise data, and interact with live systems. The agent sandbox is treated as a hostile, untrusted environment. Every control on this page is designed with that assumption.

trust@context.aiSecurity overview

Compliance

Frameworks and certifications

SOC 2 Type II

Compliant

Annual audit of security, availability, and confidentiality controls by an independent third-party auditor.

SOC 2 Type I

Compliant

Point-in-time assessment of the design and implementation of security controls.

ISO 27001

Compliant

International standard for information security management systems (ISMS).

GDPR

In Progress

European Union General Data Protection Regulation for personal data protection.

Architecture

How agent isolation works

The security architecture assumes that anything running inside a sandbox will attempt to escalate privileges, exfiltrate data, or reach external systems.

Sandbox Isolation

Hardware-level isolation per agent session

Each agent session gets its own microVM with a dedicated kernel, provisioned through Kata Containers and Firecracker. This is the same isolation primitive that powers AWS Lambda. The hypervisor enforces memory and CPU isolation at the hardware virtualization layer.

Sandboxes are ephemeral — provisioned per session and destroyed after. No persistent attack surface accumulates between sessions. The runtime runs as a non-root user, drops all Linux capabilities, disables privilege escalation, and applies a default seccomp profile.

Container (shared kernel)
MicroVM (Context)
Isolation boundary
Kernel namespaces / cgroups
Hardware hypervisor
Kernel compromise
Exploitable from any peer container
Contained to single sandbox
Host visibility
/proc, /sys exposed
Fully virtualized, no host visibility

Network Egress

Deny-by-default at the infrastructure layer

Sandbox network egress is deny-by-default, enforced at the network infrastructure layer — not at the application level where a compromised process could bypass it. Direct internet access, the cloud instance metadata service, the cluster API server, peer sandboxes, and external DNS are all blocked.

A sandbox can reach exactly one destination: the internal mediated gateway. LLM inference, web search, and connector requests all follow the same path. The gateway authenticates each request, applies policy, makes the upstream call with its own credentials, and returns the result.

The sandbox never receives upstream secrets. For LLM inference, the sandbox authenticates with a per-session token that the gateway swaps for real provider credentials server-side. For drive access, credentials are minted via STS with an inline session policy scoped to the organization's storage prefix and a specific read or write intent. TTL is 1–12 hours.

Data Isolation

Organization is the hard tenancy boundary

Each user belongs to exactly one organization. Cross-organization data access is impossible by design, enforced at both the application and infrastructure layers: all database queries are scoped by organization through foreign key constraints, and object storage uses STS session policies enforcing prefix-level boundaries.

Agent-to-agent isolation is total. Each agent has its own sandbox, session, credentials, and filesystem. There is no shared context, shared memory, or shared credential between agents. This stands in contrast to platforms where years of accumulated permission sprawl become the agent's access surface.

Identity & Access

Agents are first-class principals

AuthenticationCustomer IdP via SAML 2.0 / OIDC · MFA enforced at IdP · SCIM directory sync
AuthorizationTwo-tier RBAC (org + workspace) · Escalation prevention · Agents as first-class principals
Agent identitySame authorization system as human users · Per-agent API keys · Workspace membership governs data access
SessionsServer-side in PostgreSQL · 7-day expiry · Fully revocable · IP and user-agent tracked

Organization administrators define what each agent can do. Agents operate under the principle of least privilege: the platform grants only the access required for the task. Drive credentials carry explicit read-only or read-write intent, enforced at the IAM policy level.

Observability

Complete chain of custody

Every inference call is warehoused in-cluster with full context: organization, agent, session, model, tokens, input/output, cost, and latency. Identity is resolved server-side — agents cannot misrepresent themselves in traces.

An immutable, append-only audit log captures every permission change, API key lifecycle event, role grant, and data access operation. Given any agent, user, resource, or time range, the complete chain of custody can be reconstructed.

All observability integrates with existing enterprise stacks: OpenTelemetry for distributed tracing, structured JSON logs for any SIEM (Datadog, Splunk, ELK, CloudWatch), and Prometheus metrics for monitoring. An in-cluster Grafana stack is included.

Deployment

Entire stack runs in customer infrastructure

The entire platform runs in the customer's VPC across multiple availability zones. Context does not host any component of the deployment. All encryption uses customer-managed keys.

Updates are delivered as Helm releases through a gated promotion pipeline (Unstable → Beta → Stable). The customer deploys at their discretion through a self-service admin console with health monitoring, one-click upgrades with rollback, preflight validation, and configuration management. Context does not have access to the cluster.

Airgapped installation is fully supported, with offline image bundles and automatic registry rewriting to the customer's internal registry (ECR, Harbor, Artifactory). No outbound connectivity is required for telemetry, license verification, or any phone-home mechanism.

Resources

Reports and policies

Audit reports and security documentation available under NDA.

ISO 27001 Certificatecertificate
Request
SOC 2 Type II Reportreport
Request
SOC 2 Type I Reportreport
Request
Penetration Test Summaryreport
Request
Breach Notification Policypolicy
Request
Data Classification Policypolicy
Request
Software Bill of Materials (SBOM)document
Request

Controls

57 controls monitored

Continuously monitored across infrastructure, data protection, access management, and operations.

Secure media disposal
Technology asset inventory
Emergency operations continuity
Business continuity and disaster recovery plan
Database backups
Multi-availability zone deployment
Capacity and performance monitoring
Capacity and performance planning
Material system change communication
Customer notification for major changes
Cloud provider physical access review
Encryption at rest
Production key management
Encryption in transit
Governance committee bylaws
Annual strategic planning
Security roles and responsibilities
Board security briefings
Information security policies
Data classification and access control
Customer data deletion
Data retention and deletion policy
Anti-malware protection
Removable media controls
Remote work policy
Employee confidentiality agreements
Disciplinary process
Termination access revocation
Contractor code of conduct
Employee code of conduct
Session timeout enforcement
Password policy
Access control procedures
Least-privilege access for production
Infrastructure authentication
Incident response procedures
Security concern resolution
Security incident logging
Regulatory authority communication
Secure connection requirements
Network firewall
Firewall rule management
Network architecture documentation
Source code access controls
Environment and tenant segmentation
Environment separation
Static application security testing
Secure development procedures
Contractor confidentiality agreements
Contractual security commitments
Vendor confidentiality agreements
Penetration testing
Vendor management program
Patch management
Vulnerability scanning and remediation
Intrusion detection
Web application firewall

Subprocessors

Third-party services

VercelCloud infrastructure and platform services
AnthropicAI and ML services
DatadogLogging and observability

Security inquiries

For report requests, vendor security questionnaires, or to report a vulnerability.

trust@context.ai
Privacy PolicySecurity