Documentation Index
Fetch the complete documentation index at: https://docs.svantic.com/llms.txt
Use this file to discover all available pages before exploring further.
Security Overview
Svantic is designed for regulated industries where data sovereignty, auditability, and access control are non-negotiable. Security is not a feature layer — it’s baked into the architecture at every level.Principles
- Your data never leaves your environment. Capabilities execute on your infrastructure. Svantic orchestrates — it doesn’t touch your raw data.
- Every operation is authenticated. Not just connections — every individual capability invocation carries a cryptographically signed, short-lived token.
- Organization isolation is cryptographic, not logical. Accounts are isolated at the authentication layer. Agents, sessions, knowledge, and routing are all scoped to your account.
- Defense in depth. Multiple independent safety layers — authentication, invocation auth, policies, ToolGuard, FlowGuard, approval workflows, zero-knowledge credentials — each operates independently.
Architecture
| Layer | Protection |
|---|---|
| Authentication | API credentials, short-lived tokens, automatic refresh |
| Per-Invocation Auth | Every capability call is independently signed and verified |
| Data Encryption | Encryption at rest (disk, column-level), in transit (TLS), key management |
| Zero-Knowledge Credentials | Credential values never leave the client machine |
| Guardrails | ToolGuard, FlowGuard, approval workflows |
| Policies | Configurable rules for what agents can and cannot do |
Data Sovereignty
Svantic never touches your data. Capabilities execute on your infrastructure — your agents run on your machines, access your databases, and use your credentials locally. Svantic only sees:- Capability names and descriptions (from your agent card)
- Structured results your agent chooses to return
- Session metadata (who’s involved, what state things are in)
Organization Isolation
Each Svantic account is cryptographically isolated:- Agents registered under your account are invisible to other accounts
- Sessions, messages, and knowledge are scoped to your account
- Routing decisions never cross account boundaries
- Even on shared infrastructure, your data is isolated at the authentication layer — not by application logic
Safety Layers
Svantic applies multiple independent safety layers to every operation:| Layer | What It Does |
|---|---|
| Authentication | Verifies agent identity before any operation |
| Invocation Auth | Cryptographically authenticates every capability call |
| Registration Policy | Controls which agent types can operate (open, allow-list, or audit mode) |
| ToolGuard | Gates tool invocations — file access, commands, resource budgets, bulk operations |
| FlowGuard | Prevents runaway execution — step limits, timeouts, cycle detection |
| Approval Workflows | Requires human sign-off for sensitive operations |
| Zero-Knowledge Credentials | Credential values never leave the client machine |