MACAWMACAW

See. Control. Prove.

Back to Home

Security Practices

Last Updated: January 2026

Overview

At MACAW Security, we build security infrastructure for AI agents. This document describes our current security practices and architecture. We are an early-stage company committed to maturing our security posture as we grow.

Infrastructure

Cloud Environment

AspectCurrent State
ProviderAmazon Web Services (AWS)
RegionUS-West (single region)
ArchitectureMulti-tenant with logical isolation

Network Security

  • All traffic encrypted with TLS 1.2+
  • AWS VPC with security groups
  • No public access to databases or internal services

Data Security

Encryption

Data StateImplementation
In TransitTLS 1.2+ for all connections
At RestAWS default encryption (AES-256)

Tenant Isolation

  • Per-tenant cryptographic keys for signing operations
  • Logical separation of tenant data
  • Tenant-scoped API authentication

Key Management

  • Per-tenant signing keys generated on registration
  • Keys stored in encrypted form
  • Key rotation available on request

Authentication and Access

Customer Authentication

  • Email/password with strength requirements
  • SSO integration via Google, GitHub, and other OAuth/OIDC providers
  • Session management with secure tokens

Internal Access

  • Access limited to founding team
  • Role-based permissions
  • Audit logging of administrative actions

Application Security

Development Practices

  • Code review required for all changes
  • Version control with Git
  • Dependency updates monitored

API Security

  • API key authentication
  • Rate limiting
  • Input validation

Data Handling

What We Store

  • Account information (email, name, organization)
  • Agent registrations and configurations
  • Audit logs and event data (owned by you)
  • Policies and settings you create

What We Don't Access

  • Your prompts and agent inputs/outputs pass through the system but are not stored or analyzed by us
  • We do not use your content or logs for training or product development
  • We access only metadata for operational purposes

Data Portability

  • You can export your audit logs and data at any time
  • You can request deletion by emailing support@macawsecurity.com

Incident Response

Current Process

  • Monitoring of service availability and errors
  • Manual review of security-related events
  • Email notification to affected customers for confirmed incidents

Reporting Security Issues

If you discover a security issue, please report it to:

Email: security@macawsecurity.com

We will acknowledge reports within 5 business days and work with you on resolution.

Compliance

Current Status

We do not currently hold security certifications (SOC 2, ISO 27001, etc.). We are building toward these as the company matures.

Regulatory

  • GDPR: We process data per our Privacy Policy and provide data export/deletion on request
  • CCPA: California residents have rights as described in our Privacy Policy

What We're Building Toward

As we grow, we are working to implement:

  • Multi-region deployment for redundancy
  • Formal incident response procedures
  • SOC 2 Type II certification
  • Enhanced monitoring and alerting
  • Hardware security module (HSM) integration for key management
  • Regular third-party security assessments

We will update this document as our security practices mature.

Shared Responsibility

Security is a shared responsibility:

MACAW Security is responsible for:

  • Security of the platform infrastructure
  • Encryption of data in transit and at rest
  • Authentication and access control mechanisms
  • Timely response to reported security issues

You are responsible for:

  • Security of your account credentials
  • Configuration of your policies and agents
  • Compliance with applicable regulations
  • Security of your own applications and integrations

Contact

For security inquiries:
Email: security@macawsecurity.com

For general support:
Email: support@macawsecurity.com

Copyright 2026 MACAW Security, Inc. All rights reserved.