Start free

SetForth Security Overview

Last updated: July 1, 2026

SetForth runs AI software agents on our customers' source code and content, so we treat the security and confidentiality of that data as foundational. This page summarizes the technical and organizational measures we use to protect the SetForth platform and services (the "Service"). It is a summary for customers and prospects; more detailed documentation is available to customers and prospective customers on request under a non-disclosure agreement.

This overview supplements our Privacy Policy, Data Processing Addendum, and Subprocessor List.

Shared responsibility

Security is a shared responsibility. SetForth secures the Service and its infrastructure as described below. Customers are responsible for their own use of the Service, including managing their Authorized Users and access, scoping the repository and system access they grant to Agents, reviewing Agent output before relying on it, protecting their credentials, and maintaining backups of their content. See the Terms of Service.

Infrastructure and hosting

The Service runs on a major cloud provider (Amazon Web Services) within an isolated cloud environment. Our cloud provider maintains its own physical-security, availability, and compliance programs for the underlying data centers and infrastructure.

Encryption

  • In transit: data transmitted to and within the Service is encrypted using current versions of TLS.
  • At rest: sensitive credentials and access tokens are encrypted at rest using strong, industry-standard encryption (AES-256-GCM). Secrets are hashed where appropriate, and secret comparisons use timing-safe methods.

Tenant isolation

The Service is multi-tenant and organization-scoped. Access to data is partitioned by organization and enforced on each request, so one customer's data is not accessible to another customer.

Authentication and access control

  • Customer authentication is provided through a dedicated identity provider, with support for single sign-on.
  • Access within the Service is governed by role-based access control and fine-grained, resource-level authorization, applied on a least-privilege basis.
  • SetForth limits internal access to production systems and customer data to personnel who need it, subject to confidentiality obligations, and requires multi-factor authentication for administrative and production access.

Secrets and credential protection

Secrets are stored in a managed secrets system. Importantly for an agent platform: AI Agents do not receive third-party provider credentials. Privileged operations, such as accessing a customer's repository, are mediated server-side through a credential-injecting proxy, so credentials are not exposed to Agents or to the code they run.

Isolated code execution

Agents execute code in isolated sandbox environments. We treat all customer repository content and any code processed by the Service as untrusted by default, and isolate its execution accordingly.

AI data handling

To perform requested work, the Service transmits the customer content necessary for a task to a managed AI inference service (Amazon Bedrock) running within our cloud provider. Content sent for inference is processed inside our cloud environment, in the selected region, under terms that do not permit it to be used to train any models and that do not share it with the underlying model provider, subject to limited retention required to detect and prevent abuse. All model traffic is routed through SetForth-operated gateway infrastructure for control and metering, which authenticates to the inference service using a scoped cloud identity role rather than a shared, long-lived API key. See the Privacy Policy.

Network security

Internal services communicate over private networking, and internet-facing components are fronted by protective controls at the network edge designed to mitigate common attacks.

Logging, monitoring, and auditing

We maintain application and audit logging of significant actions, along with error and performance monitoring, to operate and secure the Service and to support investigations.

Resilience and continuity

The Service runs on managed, resilient cloud infrastructure. Customer data in our primary datastores is backed up automatically, and we maintain a disaster-recovery and business-continuity plan covering restoration of the Service. Further detail is available to customers on request.

Secure development

SetForth follows secure-development practices, including a type-safe codebase, code review, dependency management, and validation of untrusted input.

Vendor and subprocessor management

We perform due diligence on the third parties that process data on our behalf and enter into data-protection agreements with them. Our current subprocessors are listed on the Subprocessor List.

Data retention and deletion

Our handling of data retention and deletion is described in the Privacy Policy and, for data processed on a customer's behalf, the Data Processing Addendum.

Compliance

We design our practices to align with applicable data-protection laws, including the GDPR and CCPA, and we support international data transfers using the Standard Contractual Clauses.

Reporting a vulnerability

We welcome reports of suspected security issues. Please contact security@setforth.app with enough detail to reproduce the issue. We ask that you give us a reasonable opportunity to investigate and remediate before public disclosure, and that testing does not violate the Acceptable Use Policy or harm other customers' data.

Requesting more information

Customers and prospective customers can request additional security documentation — such as our detailed security measures, completed security questionnaires, and any audit reports we maintain — under a non-disclosure agreement. Contact security@setforth.app.

SetForth, LLC · security@setforth.app