Privacy & Trust

Most health AI platforms promise privacy. Agnes proves it. Our architecture ensures patient data stays protected — structurally, not by policy.

How we protect your data

Scope step-down architecture

Every request passes through an authorization kernel that reduces scope at each layer. Shared AI agents receive only what they need — with patient identity redacted before it ever reaches them.

Workload identity

Every service authenticates using SPIFFE/mTLS — cryptographic proof of which service is calling. No API key sharing, no service account reuse.

Full audit trail

Every data access, every query, every delegation is logged with cryptographic timestamps. You don't have to trust us — you can verify.

Security

End-to-end encryption

Data encrypted in transit (TLS 1.3) and at rest (AES-256). Keys managed per-tenant.

Zero-trust network

No implicit trust between services. Every request authenticated and authorized independently.

Scoped tokens

Every operation gets a token carrying only the permissions it needs. No over-privileged service accounts.

Regular audits

Security posture reviewed continuously. Infrastructure-as-code ensures reproducible, auditable deployments.

Compliance

Agnes is designed for regulatory compliance from the ground up — not retrofitted after the fact. Our architecture enforces data handling rules that exceed current requirements.

HIPAA-aligned design — technical safeguards for protected health information

GDPR-ready — data minimization, purpose limitation, and right to erasure built into data flows

India DPDPA-aware — data localization and consent management provisions

No data sold, shared, or used for training — ever

Patient controls who sees what — enforced by architecture, not honor system