Security

All traffic between you, our servers, and the third-party tools your agents touch is encrypted in transit with TLS 1.2+. Data at rest in our primary database (Supabase Postgres) is encrypted with AES-256. Stored IMAP/SMTP credentials for custom-domain mailboxes are additionally wrapped in an AES-256-GCM envelope using a master key held outside the database, so a stolen DB snapshot alone cannot decrypt them.

Every API route is gated by Supabase row-level security tied to the authenticated user's organisation. An agent can only read or write data inside the workspace that owns it. Production access inside Ghostbase is restricted to a small on-call team, requires multi-factor authentication, and is audit-logged. We follow least-privilege principles for every internal credential.

When you connect a third-party tool (Gmail, Slack, Stripe, Salesforce, etc.), we receive OAuth tokens scoped to the permissions you grant. Tokens are stored encrypted, never logged in plaintext, and rotated when the upstream provider issues a new one. You can revoke any connection at any time from the Connections page or directly inside the third-party service — revocation propagates immediately.

Agent runs execute in short-lived serverless workers (Inngest / Vercel) that never share memory between organisations. Each run loads its agent configuration, connections, and tool catalog fresh from the database — there's no warm-cache leak path between tenants.

We do not use your prompts, agent outputs, knowledge files, or any workspace content to train foundation models — ours or anyone else's. Contracts with our LLM providers (Anthropic, OpenAI, Google) include zero data-retention or training opt-out terms for all enterprise traffic we route on your behalf.

Every agent run is logged step-by-step (input, tool calls, model response, self-reported status, token usage). Logs are retained for 90 days, then automatically purged from production by the runs-retention-cleanup job; expired memory entries are swept daily. Aggregated usage analytics retain for up to 24 months. Workspace deletion permanently removes content within 30 days from production and within 90 days from backups.

Ghostbase relies on a small set of vetted sub-processors to run the Service: Supabase (database + auth), Vercel (hosting), Inngest (background jobs), Stripe (billing), Resend (email), Sentry (error monitoring), and the LLM + integration providers your agents actively use (Anthropic, OpenAI, Google, Composio). Each provider is bound by contractual confidentiality and reviewed periodically. A current list is available on request.

If you discover a security issue in Ghostbase, please report it to support@ghostbase.ai rather than disclosing it publicly. We acknowledge reports within 24 hours, triage within 72 hours, and credit researchers in our security advisories on request.

If we ever experience a data breach affecting your information, we will notify the affected workspace owners by email within 72 hours of confirming the incident, alongside a public status post detailing impact, root cause, and remediation steps. We commit to a candid post-mortem rather than a sanitised press release.

Ghostbase is operated from the European Union. Where personal data is transferred internationally (e.g. to a US-based LLM provider), we rely on Standard Contractual Clauses and equivalent safeguards. A Data Processing Addendum is available at ghostbase.io/dpa and signed automatically when you accept the Terms of Service.

Security questions? Email support@ghostbase.ai. We read every message.