Confidential — Agentys Inc.  |  Security Whitepaper v1.0

Security Whitepaper

A comprehensive overview of Agentys security practices, architecture, and compliance posture

Classification: Public
Version: 1.0
Date: February 2026
Author: Agentys Inc. — Security & Compliance Team
Headquarters: Montreal, QC, Canada
PUBLIC

Document Control

Version Date Author Description
0.1 January 2026 Security Team Initial draft
0.9 February 2026 Security Team Internal review and legal approval
1.0 February 2026 Security Team Public release

Table of Contents

  1. 1 Executive Summary
  2. 2 Company Overview
  3. 3 Security Architecture
  4. 4 Data Protection
  5. 5 AI Security
  6. 6 Access Control
  7. 7 Infrastructure Security
  8. 8 Monitoring & Incident Response
  9. 9 Business Continuity & Disaster Recovery
  10. 10 Compliance & Certifications
  11. 11 Vendor Management
  12. 12 Employee Security
  13. 13 Vulnerability Management
  14. 14 Contact Information

1 Executive Summary

1.1 Purpose

This Security Whitepaper provides a comprehensive overview of the security practices, technical safeguards, and compliance measures implemented by Agentys Inc. ("Agentys") to protect customer data processed through the Agentys AI email management platform. It is intended for current and prospective customers, partners, auditors, and other stakeholders who require assurance regarding the security posture of our platform.

1.2 Scope

This document covers all aspects of the Agentys platform security, including but not limited to: infrastructure, application, data protection, AI model governance, identity and access management, monitoring, incident response, business continuity, and regulatory compliance. The controls described herein are aligned with industry-recognized frameworks including NIST Cybersecurity Framework (CSF) 2.0, ISO/IEC 27001:2022, ISO/IEC 42001:2023, and SOC 2 Trust Services Criteria.

1.3 Our Commitment

Agentys processes sensitive email data—including correspondence, attachments, and metadata—on behalf of professionals across legal, financial, healthcare, and corporate sectors. This responsibility demands the highest security standards. We are committed to maintaining an information security management system (ISMS) that meets or exceeds the requirements of:

Key Principle
Security is not an afterthought at Agentys. Our platform was architected from the ground up with a security-first design philosophy, embedding defense-in-depth principles across every layer of our technology stack.

2 Company Overview

2.1 About Agentys

Agentys is an artificial intelligence platform designed to transform email management for professionals and enterprises. By leveraging advanced natural language processing and machine learning, Agentys automates the drafting, prioritization, scheduling, and categorization of email communications—enabling knowledge workers to reclaim significant productive time while maintaining the quality and nuance of their professional correspondence.

2.2 Founding Principles

Agentys was founded with a clear mandate: build an AI platform that professionals can trust with their most sensitive communications. From day one, our engineering and product decisions have been guided by three core principles:

  1. Security by Design: Security requirements are defined at the architecture phase, not retrofitted after deployment. Every component undergoes threat modeling before implementation.
  2. Privacy by Default: Data minimization, purpose limitation, and user consent are embedded into every feature. We collect only the data required to deliver the service and retain it only as long as necessary.
  3. Transparency: We believe customers have the right to understand how their data is processed, stored, and protected. This document is one expression of that commitment.

2.3 Corporate Information

Legal NameAgentys Inc.
HeadquartersMontreal, Quebec, Canada
IndustryEnterprise Software / Artificial Intelligence
ProductAI Email Management Platform
Security Contactsecurity@agentys.io
Privacy Officerprivacy@agentys.io

3 Security Architecture

3.1 Architectural Overview

The Agentys platform is built on a modern, cloud-native architecture designed to deliver security, scalability, and reliability. Our architecture follows a defense-in-depth model, implementing overlapping security controls at every layer—from network perimeter to application logic to data storage. NIST CSF: PR.AC ISO 27001: A.8

3.2 Multi-Tenant Architecture with Tenant Isolation

Agentys employs a multi-tenant architecture in which each customer's data is logically isolated from all other tenants. Isolation is enforced at multiple levels:

SOC 2 TSC Reference
Tenant isolation controls map to SOC 2 Trust Services Criteria CC6.1 (Logical and Physical Access Controls) and CC6.3 (Authorized Access Based on System Design and Implementation). These controls are validated during our annual SOC 2 Type 2 audit.

3.3 Data Encryption

All customer data is protected by encryption both at rest and in transit, using industry-standard cryptographic algorithms:

Layer Standard Implementation
Data at Rest AES-256-GCM All databases, object stores, and backups are encrypted using AES-256 with keys managed through a dedicated KMS. Encryption keys are rotated annually.
Data in Transit TLS 1.3 All external and internal communications use TLS 1.3. Legacy protocols (TLS 1.0, 1.1, and SSL) are explicitly disabled. HSTS headers are enforced with a minimum max-age of one year.
Key Management Envelope Encryption Data encryption keys (DEKs) are wrapped with key encryption keys (KEKs) stored in a hardware security module (HSM)-backed key management service with FIPS 140-2 Level 3 validation.

NIST CSF: PR.DS-1, PR.DS-2 ISO 27001: A.8.24

3.4 Zero-Trust Network Architecture

Agentys implements a zero-trust network model based on the principle of "never trust, always verify." Key elements include:

NIST CSF: PR.AC-5 SOC 2: CC6.1

3.5 Secure API Gateway

All external API traffic is routed through a secure API gateway that provides:

4 Data Protection

4.1 Email Data Handling

The Agentys platform processes email data to provide its core AI-powered management capabilities. We recognize the sensitivity of email communications and have implemented stringent protections around the handling of this data. ISO 27001: A.8.10

4.2 Authentication with Email Providers

Agentys integrates with email providers (Google Workspace, Microsoft 365, and others) exclusively through OAuth 2.0 authorization flows:

Data Minimization Principle
Consistent with GDPR Article 5(1)(c) and Loi 25 requirements, Agentys adheres to the principle of data minimization. We process only the email data necessary to deliver our AI management capabilities and do not retain data beyond its operational purpose.

4.3 Data Residency

Agentys offers customers a choice of data residency regions to comply with local data sovereignty and regulatory requirements:

Region Data Center Location Applicable Regulations
Canada Montreal, QC / Toronto, ON PIPEDA, Loi 25
United States US-East / US-West SOC 2, CCPA
European Union Frankfurt, DE / Paris, FR GDPR, EU AI Act

Data residency selection is configured at the organization level during onboarding and is enforced at the infrastructure layer. Cross-region data transfers, if necessary for operational purposes, comply with applicable transfer mechanisms (e.g., Standard Contractual Clauses for EU data). GDPR: Art. 44-49

4.4 Data Lifecycle Management

Agentys implements automated data lifecycle management to ensure data is retained only for as long as necessary:

4.5 Right to Deletion

In compliance with GDPR Article 17 (Right to Erasure), Loi 25, and other applicable privacy regulations, Agentys supports data subject deletion requests. Upon receiving a verified deletion request, Agentys will:

  1. Acknowledge the request within 48 hours.
  2. Complete deletion of all associated personal data within 30 calendar days.
  3. Confirm deletion in writing to the requesting party.
  4. Ensure deletion propagates to all backups within the subsequent backup rotation cycle (maximum 90 days).

GDPR: Art. 17 Loi 25: s. 28 SOC 2: P6.5

5 AI Security

5.1 AI Governance Framework

Agentys recognizes that the deployment of AI in the context of sensitive email communications introduces unique security and ethical considerations. Our AI governance framework is aligned with ISO/IEC 42001:2023 (AI Management Systems) and addresses risks specific to AI-powered email management. ISO 42001: 6.1

5.2 Data Isolation in AI Processing

AI models deployed by Agentys are designed with strict data isolation principles:

AI Data Commitment
Agentys contractually guarantees that no customer data is used for AI model training. This commitment is codified in our Data Processing Agreement (DPA) and is verified during our annual SOC 2 Type 2 audit.

5.3 Model Output Safety

Given that Agentys assists with composing professional email communications, the safety and accuracy of AI model outputs is of paramount importance:

5.4 Human-in-the-Loop Controls

Agentys enforces a mandatory human-in-the-loop paradigm for all email operations:

ISO 42001: A.7.3 NIST AI RMF: MG-3.2

5.5 Adversarial AI Protections

Agentys implements protections against adversarial attacks targeting AI systems:

6 Access Control

6.1 Identity and Access Management

Agentys implements a comprehensive identity and access management (IAM) program to ensure that access to systems, data, and resources is granted on a least-privilege basis and continuously monitored. NIST CSF: PR.AC ISO 27001: A.5.15-A.5.18

6.2 Role-Based Access Control (RBAC)

All access within the Agentys platform and corporate systems is governed by role-based access control:

6.3 Multi-Factor Authentication (MFA)

Multi-factor authentication is mandatory for all access:

6.4 Privileged Access Management (PAM)

Access to production environments and sensitive systems is governed by a strict privileged access management program:

SOC 2: CC6.2, CC6.3

6.5 Access Reviews

Access permissions are subject to regular review to ensure ongoing appropriateness:

Review Type Frequency Scope
User Access Review Quarterly All employee access across corporate and production systems
Privileged Access Review Monthly All accounts with administrative or elevated privileges
Service Account Review Quarterly All automated service accounts and API keys
Offboarding Verification Within 24 hours Terminated employee access revocation confirmation

6.6 Single Sign-On (SSO) Integration

Agentys supports enterprise SSO integration through industry-standard protocols:

7 Infrastructure Security

7.1 Cloud Infrastructure

The Agentys platform is hosted on SOC 2 Type 2 and ISO 27001-certified cloud infrastructure providers. Our infrastructure-as-code approach ensures consistent, auditable, and repeatable deployments across all environments. NIST CSF: PR.IP

7.2 Network Segmentation

Agentys implements multi-layered network segmentation to contain potential security incidents and limit lateral movement:

7.3 Web Application Firewall (WAF)

All public-facing endpoints are protected by a Web Application Firewall (WAF) that provides:

7.4 DDoS Protection

Agentys employs multi-layer DDoS protection to ensure service availability:

7.5 Container Security

All Agentys services run in containerized environments with the following security controls:

NIST CSF: PR.IP-1 SOC 2: CC7.1

8 Monitoring & Incident Response

8.1 Security Monitoring

Agentys operates a 24/7 security monitoring program that provides continuous visibility into the security posture of the platform: NIST CSF: DE.CM ISO 27001: A.8.15, A.8.16

8.2 Log Management

Comprehensive logging supports both security monitoring and compliance requirements:

Log Type Retention Encryption
Security events (authentication, authorization) 1 year AES-256 at rest
Application logs 90 days AES-256 at rest
Infrastructure / system logs 90 days AES-256 at rest
Audit trail (admin actions) 2 years AES-256, immutable storage
API access logs 1 year AES-256 at rest

All logs are stored in tamper-evident, append-only storage. Sensitive fields (e.g., email content, PII) are redacted or masked prior to logging.

8.3 Incident Response Plan

Agentys maintains a formal Incident Response Plan (IRP) that defines procedures for detecting, containing, eradicating, and recovering from security incidents. The IRP is aligned with the NIST Computer Security Incident Handling Guide (SP 800-61r2). NIST CSF: RS.RP

8.3.1 Incident Severity Classification

Severity Definition Response Time Escalation
Critical (P1) Active data breach, service compromise, or exploitation of a critical vulnerability 15 minutes CISO, CEO, Legal
High (P2) Confirmed security event with potential for data exposure or service disruption 1 hour CISO, Engineering Lead
Medium (P3) Suspicious activity under investigation; no confirmed impact 4 hours Security Team Lead
Low (P4) Minor security events, policy violations, or informational alerts 24 hours Security Analyst

8.3.2 Incident Response Phases

  1. Detection & Analysis: Initial triage, scope assessment, and evidence preservation.
  2. Containment: Immediate actions to limit incident impact (e.g., network isolation, credential rotation, service suspension).
  3. Eradication: Removal of the root cause, including malware, compromised accounts, or vulnerable code.
  4. Recovery: Restoration of affected systems and services from verified clean backups, with monitoring for recurrence.
  5. Post-Incident Review: Comprehensive analysis of incident timeline, root cause, response effectiveness, and lessons learned. Findings are documented and drive improvements to security controls.

8.4 Breach Notification

In the event of a confirmed data breach involving personal data, Agentys will:

GDPR: Art. 33, 34 Loi 25: s. 3.5

9 Business Continuity & Disaster Recovery

9.1 Business Continuity Program

Agentys maintains a formal Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) to ensure resilience against disruptive events, including natural disasters, infrastructure failures, cyberattacks, and pandemic scenarios. Our BCP/DRP is reviewed and updated annually. NIST CSF: PR.IP-9 ISO 27001: A.5.29, A.5.30

9.2 Recovery Objectives

Metric Target Description
Recovery Point Objective (RPO) 1 hour Maximum acceptable data loss. Continuous replication ensures data loss does not exceed 1 hour in the event of a disaster.
Recovery Time Objective (RTO) 4 hours Maximum acceptable downtime. Full service restoration to a secondary region within 4 hours of a declared disaster.
Uptime SLA 99.9% Monthly uptime commitment, equivalent to a maximum of approximately 43 minutes of unplanned downtime per month.

9.3 Multi-Region Redundancy

The Agentys platform is architected for multi-region availability:

9.4 Backup Strategy

9.5 Disaster Recovery Testing

Agentys conducts formal disaster recovery testing to validate the effectiveness of recovery procedures:

SOC 2: A1.2, A1.3

10 Compliance & Certifications

10.1 Compliance Program Overview

Agentys maintains a comprehensive compliance program managed by a dedicated Governance, Risk, and Compliance (GRC) team. Our compliance posture is validated through independent third-party audits and continuous monitoring against applicable regulatory and industry frameworks.

10.2 Certifications & Attestations

Framework Scope Status
SOC 2 Type 2 Security, Availability, Confidentiality Trust Services Criteria Certified (annual audit)
ISO/IEC 27001:2022 Information Security Management System (ISMS) Certified (3-year cycle with annual surveillance)
ISO/IEC 42001:2023 AI Management System (AIMS) Certified (3-year cycle with annual surveillance)
GDPR Processing of personal data of EU data subjects Compliant (DPA available upon request)
Loi 25 (Quebec Law 25) Protection of personal information of Quebec residents Compliant (Privacy Impact Assessments conducted)
Audit Reports
Current SOC 2 Type 2 reports are available to customers and prospects under NDA. Please contact security@agentys.io to request a copy.

10.3 Regulatory Compliance Details

10.3.1 GDPR Compliance

As a data processor handling personal data of EU data subjects, Agentys complies with all applicable requirements of the General Data Protection Regulation (EU) 2016/679:

10.3.2 Loi 25 Compliance (Quebec Privacy Law)

As a company headquartered in Quebec, Agentys fully complies with Loi 25 (Act to modernize legislative provisions as regards the protection of personal information):

10.4 Third-Party Security Assessments

In addition to certification audits, Agentys engages independent third-party security firms to conduct:

11 Vendor Management

11.1 Third-Party Risk Management Program

Agentys recognizes that the security of our platform extends to the security of our vendors and sub-processors. We maintain a formal Third-Party Risk Management (TPRM) program to assess, monitor, and manage risks associated with external service providers. NIST CSF: ID.SC ISO 27001: A.5.19-A.5.23

11.2 Vendor Assessment Process

All vendors that process, store, or have access to customer data undergo a structured security assessment before onboarding:

  1. Initial Questionnaire: Vendors complete a comprehensive security questionnaire based on the Shared Assessments SIG (Standardized Information Gathering) framework.
  2. Risk Scoring: Vendors are assigned a risk tier (Critical, High, Medium, Low) based on the nature and volume of data they access and the criticality of the service they provide.
  3. Evidence Review: For Critical and High-tier vendors, Agentys reviews SOC 2 reports, ISO 27001 certificates, penetration test summaries, and other relevant audit evidence.
  4. Contractual Safeguards: All vendor agreements include data protection clauses, security requirements, breach notification obligations, and right-to-audit provisions.

11.3 Ongoing Vendor Monitoring

Vendor risk is not a point-in-time assessment. Agentys conducts ongoing monitoring of critical vendors:

11.4 Sub-Processor Management

In accordance with GDPR Article 28 requirements:

12 Employee Security

12.1 Personnel Security Overview

Agentys recognizes that people are both the greatest asset and a critical vector in information security. Our personnel security program ensures that all employees, contractors, and temporary workers understand their security responsibilities and are equipped to uphold them. ISO 27001: A.6.1-A.6.8

12.2 Background Checks

All prospective Agentys employees and contractors undergo pre-employment background checks, the scope of which is commensurate with the sensitivity of the role:

12.3 Security Awareness Training

All Agentys personnel participate in a comprehensive security awareness program:

Training Type Frequency Audience
Security Onboarding Upon hire All employees and contractors
General Security Awareness Quarterly All employees and contractors
Phishing Simulations Monthly All employees
Secure Development Training Quarterly Engineering team
Incident Response Drills Quarterly Security and engineering teams
Privacy & Data Protection Annually All employees and contractors

12.4 Security Policies

Agentys maintains a comprehensive suite of information security policies, including but not limited to:

12.5 Secure Development Lifecycle (SDLC)

Agentys follows a Secure Software Development Lifecycle that integrates security at every phase of the development process:

  1. Design: Threat modeling and security architecture review for all new features and significant changes.
  2. Development: Secure coding standards, mandatory code reviews, and pre-commit security linting.
  3. Testing: Automated security testing in CI/CD (SAST, DAST, SCA). Manual security review for high-risk changes.
  4. Deployment: Automated deployment pipelines with security gate checks. No direct production access for developers.
  5. Operations: Runtime application security monitoring, vulnerability management, and continuous feedback into the design phase.

NIST CSF: PR.IP-2 SOC 2: CC8.1

13 Vulnerability Management

13.1 Vulnerability Management Program

Agentys operates a proactive vulnerability management program designed to identify, assess, prioritize, and remediate security vulnerabilities across all systems and applications. NIST CSF: DE.CM-8 ISO 27001: A.8.8

13.2 Vulnerability Scanning

Regular automated scanning is conducted across all layers of the technology stack:

13.3 Patch Management

Agentys maintains defined Service Level Agreements for vulnerability remediation based on severity:

Severity (CVSS) Remediation SLA Process
Critical (9.0 - 10.0) 24 hours Emergency patch. Security team lead approval. Immediate deployment to production.
High (7.0 - 8.9) 7 days Expedited patching through the standard release pipeline with priority scheduling.
Medium (4.0 - 6.9) 30 days Standard patching cycle. Included in the next scheduled release.
Low (0.1 - 3.9) 90 days Addressed in routine maintenance. Risk-accepted if mitigating controls exist.

13.4 Penetration Testing

Agentys engages independent, CREST-accredited third-party security firms to conduct annual comprehensive penetration testing:

13.5 Responsible Disclosure & Bug Bounty

Agentys is committed to working with the security research community to identify and address vulnerabilities:

ISO 27001: A.8.8 SOC 2: CC7.1

14 Contact Information

14.1 Security & Privacy Contacts

For questions, concerns, or requests related to the security and privacy practices described in this document, please contact the appropriate team:

Purpose Contact Response Time
General security inquiries security@agentys.io 2 business days
Privacy inquiries & data subject requests privacy@agentys.io 2 business days
Vulnerability reporting security@agentys.io 24 hours (acknowledgment)
SOC 2 report requests security@agentys.io 5 business days
Data Processing Agreement (DPA) requests privacy@agentys.io 5 business days
Incident reporting security@agentys.io Immediate triage

14.2 Corporate Address

Agentys Inc.
Montreal, Quebec, Canada
Web: agentys.io

14.3 Additional Resources

Disclaimer

This Security Whitepaper is provided for informational purposes only and does not constitute a contractual commitment. While Agentys strives to ensure the accuracy and completeness of the information presented herein, the security controls and practices described are subject to change as our platform evolves and as the threat landscape changes.

The security commitments applicable to your use of the Agentys platform are those set forth in your subscription agreement, Data Processing Agreement (DPA), and any other applicable contractual documents.

This document is classified as PUBLIC and may be shared freely. However, it remains the intellectual property of Agentys Inc. and may not be modified or misrepresented.