agent hive
Join the Waitlist

SECURITY

One isolated colony per tenant

Isolation is the architecture, not a setting. Each customer runs in a sealed colony with its own machine, database, and encrypted volume, so one tenant cannot reach another.

the controls

Security you can see in the architecture.

No abstract trust marks. The controls below are how every colony is provisioned today.

  • Per-tenant isolation

    One Fly machine, one Postgres, one encrypted volume per colony. No shared state, no schema-per-tenant in a shared database, no noisy neighbour.

  • Encryption end to end

    Data is encrypted in transit and at rest. Secrets live in a vault and are forwarded to the colony as runtime secrets, never checked in or logged.

  • Bring your own model keys

    Your provider keys are encrypted per colony and forwarded at provision time. The control plane forwards them; it does not store them in the clear.

  • A self-host path

    The engines are permissively-licensed open source. If you need to run them inside your own boundary, the self-host path is open.

the isolation map

There is nothing shared to leak.

This is the real picture: three colonies side by side, each a sealed unit. No shared row, no cross-tenant arrow.

northwind.agenthive.coiad
  • Machine
  • Postgres
  • Encrypted volume
  • Model keys

sealed · no shared state

acme-co.agenthive.coiad
  • Machine
  • Postgres
  • Encrypted volume
  • Model keys

sealed · no shared state

your-colony.agenthive.coiad
  • Machine
  • Postgres
  • Encrypted volume
  • Model keys

sealed · no shared state

One machine, one database, one encrypted volume per tenant. There is no shared row to leak and no cross-tenant query to write.

shared vs isolated

Per-tenant colony vs. shared multi-tenant SaaS.

Most AI tools put every customer in one shared database and trust the query layer to keep them apart. Agent Hive gives each customer its own colony, so the controls below are architectural, not configuration.

Where your data lives

Your own Postgres and encrypted volume, one per colony.

Your rows sit in one shared database beside every other tenant's.

Blast radius

A breach is scoped to a single colony.

One shared store means a breach can span tenants.

Cross-tenant access

There is no cross-tenant query path to get wrong.

A single query bug can read another tenant's data.

Model keys

Your keys, encrypted per colony, never stored in the clear.

A shared vendor key you do not control.

Self-host

Open engines you can run inside your own boundary.

Closed SaaS: take it or leave it.

certifications

What we claim, and what we don't.

Agent Hive does not yet hold a third-party security certification, and we will not show a badge we have not earned. The isolation, encryption, and key-handling controls above are real and in production today. A formal audit is on the roadmap.

RoadmapA formal SOC 2 / ISO 27001 audit is on the roadmap; we make no certification claim until it ships.

the platform

One platform. Explore the rest.

ceo · hermes

CEO

The one agent you talk to.

Exploreorg · paperclip

Org

The agents, budgets, and governance.

Exploreworkflows · sim

Workflows

Visual workflows agents author and run.

Explorehivemind · mem0

Hivemind

The shared mind your whole colony thinks with.

Exploregovernance

Governance

Approvals, budgets, and a full audit trail.

Explore

Run it in your own sealed colony.

14-day trial. No DevOps. No Sales call. Provisioned in under a minute.

Join the WaitlistTalk to us
Security — Agent Hive