Where your data lives, and how we treat it.

No puffery, no badges we don't hold. Just plain answers to the questions a security review actually asks. If something here is missing, email security@agentping.io.

Where your data lives

AgentPing runs entirely on Google Cloud, in the European Union. We store your run records (timing, status, cost, evaluation results), the step-by-step detail of each run, and the content your agents report to us through the SDK or API.

How long we keep it is set by your plan: step-by-step detail and run history each have their own retention window. The full table is on the data retention page, and you can export everything at any time, on every plan.

Encryption

Data is encrypted in transit with TLS, and encrypted at rest using Google Cloud's managed encryption. Credentials and channel secrets are encrypted at the application layer on top of that.

How evaluations handle your data

When evaluations are on, AgentPing sends the relevant run content to Anthropic's API to be scored against your goal. Anthropic does not train on data submitted through its API.

Evaluations are an explicit per-team switch, and teams you create later start with it off. If you would rather no run content ever leave AgentPing, leave evaluations off; health checks still run and send nothing to any model. This is your control, not ours.

Subprocessors

The third parties that process data on our behalf, and why:

  • Google Cloud — hosting, compute, and the database (EU).
  • Anthropic — evaluation scoring, only when evaluations are enabled for a team.
  • Stripe — payment processing for paid plans.
  • OneSignal — web push notifications, if you opt in.
  • Our transactional email provider — alert and account emails.

We keep this list current. When it changes, this page changes with it.

Access control

Your API keys carry scopes: an ingest key can send data, a read key can pull it back, and the two are separate. Teams isolate data inside your account.

On our side, access is limited to the founder, for support and debugging, and only when needed. We do not give third parties access to your data, and there is no ad tech in the product.

Backups and recovery

The database is backed up automatically, with point-in-time recovery enabled through Google Cloud SQL over a 7-day window. Backups follow their own expiry schedule; when you delete data, copies in backups age out on that schedule rather than living forever.

Responsible disclosure

Found something? Email security@agentping.io. We commit to acknowledging your report within 72 hours and working with you on a fix. We don't run a paid bounty program, but we are grateful and will credit you if you'd like.

Data Processing Agreement

Our standard DPA, incorporating the EU Standard Contractual Clauses, is available to download and sign: read the DPA.

What we don't have yet

We'd rather state the gaps than hide them. We are not SOC 2 certified today; we'll pursue it when customer demand justifies the work. SSO and SAML are available on request for Business accounts. As our compliance posture grows, this page grows with it.

Your data and exports Data retention Plans and limits