Security

Security at Faramesh.

We're an open source security company in build mode. This page covers how Faramesh is architected, where your data lives, what evidence we produce for your compliance audits, and how to reach us with security questions.

Deployment

Self-hosted by default.

Core is open source under Elastic License 2.0 and runs entirely in your environment. Your agents, your tool calls, your credentials, your logs. We're not in the data path.

Data residency

Your infrastructure.
Your sovereignty.

Faramesh Core deploys into your VPC, your Kubernetes cluster, your air-gapped network. Agent decisions happen where your data lives.

AWSGCPAzureOn-premises

Secrets stay in your vault

Faramesh integrates with HashiCorp Vault, AWS Secrets Manager, and K8s secrets. Credentials are injected at runtime, never stored in agent context.

Zero credential exposure

No outbound calls required

The runtime operates entirely within your network perimeter. Air-gapped deployments supported.

Network isolated
Architecture

Security by architecture.

The product itself is the security argument. Four pieces work together to keep agents inside the lines you draw.

01

Action Authorization Boundary

Every tool call an agent attempts passes through a pre-execution policy check. Disallowed actions never reach the tool. The agent doesn't get to negotiate.

02

Credential sequestration

Secrets, tokens, and API keys stay out of the agent's context window. The runtime injects them at call time and only for calls policy permits.

03

Pre-execution enforcement

Policy runs before the side effect, not after. Detection-based approaches catch breaches; we prevent the action from happening in the first place.

04

Cryptographic audit trails

Every authorization decision, allowed or denied, is written to a tamper-evident log. Hash-chained, signed, and replayable for any auditor who asks.

Authorization flow
AI
Agent Intent
Tool call request
AAB
Policy Check
Action Authorization Boundary
PERMIT
DEFER
DENY
Authorized Execution
With audit receipt
Compliance evidence

What we generate for your audits.

When your compliance team faces an audit, Faramesh provides the cryptographic evidence that proves your agents operated within policy boundaries.

Evidence for your SOC 2 audit

Cryptographic audit trail

Every agent authorization decision with timestamps, policy references, and control mapping for CC6 (Logical Access). Cryptographically signed logs that auditors can verify independently.

What auditors look for

Access control logs
Authorization decisions
Policy enforcement records

Faramesh Labs compliance status

We do not carry SOC 2, ISO 27001, or HIPAA certifications today. Cloud and Enterprise tiers will include formal compliance programs starting Q3-Q4 2026. Core self-hosted model means your data never reaches us.

Get in touch

Reporting and questions.

Two paths depending on what you need. Vulnerabilities go through GitHub. Everything else, including InfoSec questionnaires, comes straight to the founders.

Report a vulnerability

Use GitHub Security Advisories on faramesh-core for private disclosure. We respond as the founders directly until the security function grows.

github.com/faramesh/faramesh-core/security

Security questions and questionnaires

InfoSec questionnaires, architecture questions, deployment reviews, anything else security-adjacent. Goes to the co-founders.

founders@faramesh.dev