verified_user Trust by design

Security & Compliance

AME touches production logs and source code. We treat every byte that way — encrypted in transit and at rest, isolated per-run, fully audited.

lock

Encryption

TLS 1.2+ in transit. AES-256 at rest in AWS-managed KMS. Integration credentials are encrypted with a per-workspace key.

policy

Isolation

Every remediation runs in a fresh, single-use sandbox. Source code is cloned, used, and destroyed without persisting to disk beyond the run.

history

Auditability

Every agent step is recorded with timestamps, prompts, tool calls, and outputs. PRs are signed and tagged to the originating incident ID.

Architecture

How AME is built to fail safely.

network_node

Network

VPC isolation in AWS, private subnets for application workloads, no public ingress to databases. Outbound calls to LLM providers and your VCS happen from a tightly scoped egress NAT.

WAF rules block common OWASP attacks; rate limits apply per workspace and per route.

key

Secrets

GitHub / GitLab / Jira tokens, LLM API keys, and Context7 keys are stored encrypted with envelope encryption (AWS KMS). Decryption is gated by IAM and scoped to the workspace's runtime principal.

Secrets never leave our VPC and are not exposed to the agent's tool-calling surface unless the action explicitly requires them.

play_arrow

Agent runtime

OpenHands runs the remediation in a single-use Linux sandbox with no public network access except to the LLM endpoint and your VCS. No persistent volume; the sandbox is destroyed at the end of the run.

The agent cannot push to main / protected branches. It opens a PR, period.

groups

Access & identity

SSO with SAML for Professional and Enterprise. MFA is enforced for all CanyonTechs personnel on production systems. Least-privilege IAM roles, short-lived credentials, and full audit logging via CloudTrail.

RBAC inside the console: superadmin, admin, member, viewer.

monitoring

Monitoring & response

Centralized logs, metrics, and traces with 24/7 alerting. Anomalies on the auth or PR-opening paths page on-call within 5 minutes. Security incidents follow a documented runbook with disclosure SLAs.

bug_report

Responsible disclosure

Found a vulnerability? Report it to security@canyontechs.ai. We acknowledge within 1 business day, validate within 5, and patch critical issues within 14 days.

Email security arrow_forward
description

Documents on request

  • check_circle SOC 2 Type II report (NDA)
  • check_circle Sub-processor list
  • check_circle Data Processing Addendum (DPA)
  • check_circle Security questionnaire (SIG / CAIQ)
Request access arrow_forward
FAQ

Common security questions.

Do you train models on my code? expand_more
No. We do not train our models on your source code or logs, and we contractually prohibit our LLM providers from doing so when you use our managed key. If you bring your own key, your provider's terms apply directly.
Can AME be self-hosted? expand_more
Yes, on the Enterprise plan. We ship a Helm chart and Terraform modules for AWS, GCP, and Azure. Self-hosted deployments keep all data — including LLM traffic, if you point at an in-cluster model — inside your network boundary.
Where is data stored? expand_more
The default region is us-east-1 (AWS, N. Virginia). EU customers can opt into eu-central-1 at workspace creation. Enterprise customers can pin to any AWS region we operate in, including FedRAMP-eligible regions on request.
What's your incident response SLA? expand_more
For Sev 1 security incidents affecting customer data: triage within 1 hour, customer notification within 24 hours of confirmation, written post-mortem within 14 days. The full breakdown lives in our DPA.