Security

Security is foundational,
not an afterthought.

When AI agents operate software on behalf of your users, security isn't a feature — it's the architecture. Every layer of Deck is built around isolation, encryption, and zero-trust principles.

SOC 2 Type II GDPR HIPAA PCI-DSS

Every agent runs in complete isolation

Each Computer Use session spins up a dedicated, ephemeral virtual machine. No shared memory, no shared filesystem, no shared network. By default, when the task completes, the VM is destroyed — including all browser data, cookies, and cached credentials. For workflows that require it, persistence can be enabled per session, giving you full control over what stays and what gets wiped.

Agent AIsolated VM

Agent BIsolated VM

Agent CIsolated VM

Agent DDestroyed

Encryption at every layer

All data is encrypted in transit with TLS 1.3 and at rest with AES-256. Sensitive data such as credentials and payment information is stored in a PCI-compliant vault, encrypted with per-tenant keys, and replaced with secure tokens — raw values never touch our core systems. API keys are hashed and never stored in plaintext.

In transitTLS 1.3

At restAES-256

CredentialsPer-tenant keys

API keysHashed, never plaintext

Sensitive dataVault + tokenization

Zero-trust access controls

Only those who need access get it. Multi-factor authentication, SSO/SAML support, and role-based access controls ensure your data is managed by the right people. Every access event is logged, monitored, and auditable. Internal access to production systems requires just-in-time approval and device posture verification.

✓ Multi-factor authentication

✓ SSO / SAML support

✓ Role-based access controls

✓ Just-in-time privileged access

✓ Device posture verification

✓ Full audit trail

AI agent-specific safeguards

Computer Use agents introduce unique security considerations. Deck addresses them at the infrastructure level: agents operate in sandboxed VMs with no internet access beyond the target application, actions are bounded by configurable policies, sensitive operations require human approval, and every click is recorded for full session replay and audit.

Sandboxed execution

No lateral network access. Agents can only reach the target application.

Action policies

Define what agents can and can't do. Block deletions, cap spending, require approvals.

Session replay

Every agent session is recorded. Replay any run to see exactly what happened.

Continuous compliance and monitoring

Our systems undergo continuous monitoring to proactively detect and prevent security threats. We maintain a thorough audit trail for all key actions, ensuring transparency and accountability.

Incident response

Documented response plan. Audited by PwC. Tested annually. Containment and resolution within hours, not days.

Penetration testing

Annual third-party penetration tests. Continuous SAST, DAST, and CSPM scanning. Findings are triaged and remediated.

Data retention

At end of service, all customer data — including backups — is permanently deleted. No recoverable copies.

Infrastructure

Hosted on Google Cloud Platform. All subprocessors are vetted against our security standards.

Questions?

Trust Center → [email protected]

Security is foundational,not an afterthought.