AAgentProof

AgentProof · Trust Centre

Trust Centre

Honest positioning. What AgentProof is and is not. What it reads, what it writes, what it claims. No exaggeration.

Trust Centre · claim safety

12 founder-authored sections · 0 prohibited-claim violations

Each section is plain language. The claim-safety validator scans every section for prohibited phrases (certified, ISO 27001, SOC 2, GDPR-compliant, Microsoft endorses, guaranteed safe, vulnerability scan, etc.) — when this panel shows zero violations, no Trust Centre copy makes a claim it cannot back up.

  • What AgentProof reads

    Read-only metadata: tenant identifiers, environment list, agent list, configuration objects needed to build the canonical agent footprint. Read-only consent is granted by your tenant admin and can be revoked at any time.

  • What AgentProof does not read

    No business records. No conversation content. No customer PII. No transactional data. No model weights. No payment data. No contract data.

  • Read-only connector posture

    Every connector AgentProof ships requests least-privilege read-only scopes. AgentProof never asks for write or modify scopes. Tokens never leave the server.

  • Workspace isolation

    Every workspace is scoped to its owner via Supabase RLS auth.uid() = user_id on every policy. Cross-tenant viewers never see another customer's connector state, discovery facts, reports, or improvement actions.

  • Demo and sample separation

    Sample agents always carry a Sample or Demo badge. Sample data cannot enter a real workspace without that badge. Real workspaces start empty and only ever show real data the workspace owner has authorised.

  • Authentication model

    Magic-link sign-in only. No password, no SSO, no third-party trackers. Local test access is available in non-production builds only and requires a server-side env flag plus a configured test user.

  • Data handling principles

    Workspace data is stored in your hosted Supabase project. AgentProof does not send your data to any live AI provider unless you explicitly configure one. The Supabase project is expected to be EU-region when EU-region is required.

  • Microsoft endorsement

    AgentProof is not endorsed by Microsoft. References to Microsoft Power Platform, Copilot Studio, Azure AI Foundry, or Entra ID describe public Microsoft surfaces only — AgentProof does not speak on behalf of Microsoft.

  • Legal and certification claims

    AgentProof does not claim ISO 27001, SOC 2, GDPR, HIPAA, FedRAMP, or any other certification. AgentProof is not legal advice. AgentProof is a readiness lens — it shows what is in place and what is missing.

  • Revocation awareness

    Any consent you grant AgentProof can be revoked at any time through your Microsoft tenant admin console (or equivalent for other providers). AgentProof refuses to operate on a revoked connector.

  • Audit-friendly design

    Every discovered fact records a discovery_source tag (real_connector_call, simulated, user_confirmed, manual_fallback). Reports carry a version stamp and methodology version. Connector state changes are journaled.

  • AI provider usage boundaries

    No live AI provider is contacted at any point in the public build. When live providers are configured by the operator, AgentProof uses them only to generate text narrative — the deterministic readiness score is computed without any LLM and cannot be overridden by an LLM.

Claim-safety validator: CLEAN — no prohibited claims detected

Security posture dashboard →Pre-beta readiness →Help centre →