Athena Platform
Platform OverviewThe whole platformAegisDetection and responseVigil24/7 agentic SOCCitadelTechnology management
Outcomes
All seven outcomesThe results leaders fundReduce RiskA bounded, evidenced liabilityImprove ResilienceKeep operating when hitOperational EfficiencyCoverage without the headcountContinuous ComplianceThe audit as a running stateGovern AI SafelyAdopt AI you can defendTotal VisibilityWhat you have and what changedReduce ComplexityConsolidate the stack
AI Defenders
Meet the DefendersAll fourAthenaCommandAegisDetection and responseVigil24/7 SOCCitadelTechnology management
Adversaries
The Adversary UniverseAll tenMorvokhThe Devourer of IdentitiesVexaraThe Whisper QueenKarnaxThe BreachmakerNocthraThe Shadow of AIGrimvaultThe CollectorMaldraxThe Plague EngineerOblivionThe Silent VoidTyraxisThe DisruptorDraegorThe Compliance ReaperNihilusThe Lord of Entropy
Resources
All resourcesStart hereThe BlogField notesThreat IntelligenceIntel in operations
Company
AboutWhy Athena existsLeadershipThe teamCareersOpen rolesPartnersProgram and portalNews RoomAnnouncementsContactReach the team
Trust Center
Trust CenterVerify our postureSecurityPlatform securityPrivacyPersonal dataData ProtectionResidencyResponsible AIAgent authorityComplianceContinuousVulnerability DisclosureReport a vuln
Request a briefing
Trust · Security

Security & Trust Overview

Last updated: 14 June 2026  ·  Effective: 14 June 2026

This document is a comprehensive legal framework draft. It must be reviewed and approved by licensed attorneys before publication and enforcement. It does not constitute legal advice.

Table of Contents

1. Our Security Philosophy 2. Security Governance & Compliance Program 3. Data Protection 4. Identity & Access Control 5. Application & Infrastructure Security 6. Vulnerability Management & Testing 7. Logging, Monitoring & Detection 8. Incident Response 9. Business Continuity & Disaster Recovery 10. Personnel Security 11. Sub-Processors & Supply-Chain Security 12. Privacy & Data Residency 13. Responsible & Secure AI 14. Shared Responsibility Model 15. Reporting & Contact

1. Our Security Philosophy

Athena Agentic, Inc. ("Athena Agentic", "we", "us", or "our") builds agentic AI for security operations. Security is not a feature we layer onto the Athena Agentic Platform (the "Platform"): it is the discipline the Platform exists to deliver. We hold ourselves to the standard we ask our customers to meet.

1.1 Security-First by Design

We design, build, and operate the Platform, including Aegis (autonomous detection & response), Vigil (24/7 agentic security operations center), and Citadel (security technology management), with security as a primary design constraint rather than an after-the-fact control. Our engineering practices embed security considerations into architecture decisions, code review, dependency selection, deployment, and operations.

Our guiding principles are:

  • Defense in depth. No single control is treated as sufficient. We layer preventive, detective, and responsive controls so that the failure of any one control does not result in compromise.
  • Least privilege and default-deny. Access, by people, services, and agents, is denied by default and granted only as required, for as long as required.
  • Zero-trust posture. We do not treat network location as a proxy for trust. Identity, device posture, and authorization are evaluated on access.
  • Secure by default. Secure configurations are the default state; insecure options require deliberate, auditable action.
  • Data minimisation. We collect, process, and retain the minimum data necessary to deliver the contracted services.
  • Transparency and accountability. Security-relevant actions, including autonomous agent actions, are logged, attributable, auditable, and, where designed to be, reversible.

1.2 We Operate the Platform We Sell

Because our product is security operations tooling, our internal security program and our product security program are deeply intertwined. The detection, response, and monitoring capabilities we provide to customers inform how we protect our own environment, and our operational experience defending Athena Agentic informs how we harden the Platform. This dual perspective is central to how we earn and keep customer trust.

2. Security Governance & Compliance Program

2.1 Security Governance

Athena Agentic maintains a documented information security program governed by internal policies and standards that are reviewed and updated on a periodic basis. The program is sponsored at the executive level and is designed to establish clear ownership, accountability, and oversight for security across the organisation.

Our security program is designed to be aligned with widely recognised industry frameworks, including the SOC 2 Trust Services Criteria, ISO/IEC 27001:2022, and the NIST Cybersecurity Framework (CSF) 2.0. Alignment with these frameworks informs the structure of our controls; it is not a representation of certification except where expressly stated in Section 2.4.

2.2 Security Policies

Our internal policy set is designed to address, at minimum, the following domains:

  • Information security policy and acceptable use
  • Access control and identity management
  • Data classification, handling, and retention
  • Cryptography and key management
  • Secure software development lifecycle (SDLC)
  • Change management
  • Vulnerability and patch management
  • Logging and monitoring
  • Incident response and breach notification
  • Business continuity and disaster recovery
  • Vendor and sub-processor risk management
  • Personnel security and security awareness
  • Physical and environmental security (as applicable to our cloud-hosted model)
  • Responsible and secure use of AI

Policies are made available to personnel, and acknowledgement is required where appropriate. Policies are reviewed at least annually and upon material changes to our environment, services, or applicable law.

2.3 Risk Management

We operate a risk management process designed to identify, assess, treat, and monitor information security risks on an ongoing basis. This process includes:

  • Maintaining a risk register of identified security risks
  • Assessing risks by likelihood and impact
  • Assigning risk owners and treatment plans (mitigate, transfer, accept, or avoid)
  • Periodic review of open risks and the status of treatment activities
  • Risk assessment of material changes, new features, and new sub-processors prior to adoption

2.4 Compliance Roadmap: SOC 2 Type II and ISO/IEC 27001

Important: Athena Agentic does not currently hold SOC 2 or ISO/IEC 27001 certification. The following are roadmap targets, not achieved certifications, and are subject to change.

  • SOC 2 Type II: We are pursuing a SOC 2 Type II examination against the Security (and, as scoped, Availability and Confidentiality) Trust Services Criteria. Our controls are designed to be aligned with the SOC 2 framework in anticipation of examination.
  • Target readiness / observation-period start: [target date, to confirm]
  • Target report availability: [target date, to confirm]
  • ISO/IEC 27001:2022: We are pursuing ISO/IEC 27001 certification and are building our Information Security Management System (ISMS) aligned with the standard.
  • Target certification date: [target date, to confirm]

We will update this Overview as these initiatives progress, and we will not represent a certification as achieved until it is independently issued.

2.5 Requesting Compliance Documentation

When available, audit reports and related compliance documentation (such as a SOC 2 report, ISO certificate and Statement of Applicability, penetration test summary, and security questionnaire responses) will be made available to customers and qualified prospective customers under a non-disclosure agreement (NDA).

To request documentation:

  • Email security@athenaagentic.com with the subject line "Trust Documentation Request."
  • Identify your organisation and the documents requested.
  • For prospective customers, an NDA will be required before non-public materials are shared.

3. Data Protection

3.1 Data Ownership

Customers retain full ownership of Customer Data and Customer Content. Athena Agentic processes Customer Data solely as a data processor on behalf of the customer, in accordance with the applicable Customer Agreement and executed Data Processing Agreement (DPA), and in accordance with the customer's documented instructions. We do not claim ownership of, and do not acquire rights to use, Customer Data beyond what is strictly necessary to provide the contracted services. We do not sell Customer Data, and we do not use Customer Data to train AI or machine learning models without the customer's explicit written consent. (See Section 13.)

These commitments are consistent with our Privacy Policy and our Data Processing and International Transfers Framework.

3.2 Encryption in Transit

All data transmitted between customers and the Platform, and between Platform components across untrusted networks, is encrypted in transit using TLS 1.2 or higher, with modern cipher suites. Public endpoints are served over HTTPS, and we employ HTTP security headers (including HTTP Strict Transport Security, HSTS) to enforce encrypted connections.

3.3 Encryption at Rest

Customer Data and Customer Content are encrypted at rest using AES-256 (or an equivalent industry-standard algorithm) as provided by our hosting and database platforms. This includes primary data stores, backups, and snapshots.

3.4 Key Management

Cryptographic keys used to protect Customer Data are managed through the key-management capabilities of our infrastructure providers. Key management practices are designed to include controlled access to key material, separation of duties, and rotation in accordance with provider capabilities and our internal standards.

3.5 Tenant Isolation: Schema-per-Tenant

The Platform implements a schema-per-tenant isolation model. Each customer's data resides in a logically isolated database schema, and application-layer access controls are designed to ensure that requests are scoped to the authenticated tenant. This model is intended to prevent cross-tenant data access by design, in addition to the role-based access controls described in Section 4.

3.6 Data Classification and Minimisation

We classify data according to sensitivity and apply handling controls commensurate with classification. We practise data minimisation: the Platform is designed to ingest and retain the minimum data necessary to deliver detection, response, and security-operations outcomes, and our internal collection of Personal Data is limited as described in our Privacy Policy.

3.7 Data Retention and Deletion

Customer Data is retained for the duration of the customer relationship and in accordance with the applicable Customer Agreement and DPA. Upon termination or expiry, Customer Data is deleted or returned in accordance with the DPA and applicable law. Retention of Personal Data processed by Athena Agentic as a controller is described in our Privacy Policy.

4. Identity & Access Control

4.1 Role-Based Access Control (RBAC): Default-Deny, Least Privilege

The Platform enforces role-based access control (RBAC) on a default-deny basis: a user, service, or agent has no access unless a role explicitly grants it. Roles are scoped to the principle of least privilege, granting only the permissions required to perform a given function. Access decisions are evaluated server-side on every privileged request.

4.2 Enterprise Single Sign-On (SSO)

The Platform supports enterprise Single Sign-On via OpenID Connect (OIDC), including:

  • Microsoft Entra ID (formerly Azure Active Directory)
  • Slack OIDC

SSO allows customers to centralise authentication, enforce their own identity policies (including conditional access and device posture), and deprovision access through their identity provider. Local email/password authentication is also supported for accounts where SSO is not used.

4.3 Multi-Factor Authentication (MFA)

Multi-factor authentication is supported and is enforced for privileged access. Where customers authenticate through their own identity provider via SSO, MFA is enforced by the customer's identity policies. For local accounts, MFA is [available / enforced, to confirm].

4.4 Session Security

User sessions are managed using signed, HttpOnly cookies, which are not accessible to client-side scripts, reducing exposure to cross-site scripting (XSS) attacks. Session cookies are configured with the `Secure` and `SameSite` attributes, are integrity-protected (signed) to prevent tampering, and expire after a defined period of inactivity and/or absolute lifetime. Sign-out invalidates the session.

4.5 Internal Access: Least Privilege and Just-in-Time

Athena Agentic personnel access to production systems and Customer Data is governed by least-privilege principles and is designed to be granted on a just-in-time (JIT), need-to-know basis:

  • Standing access to production Customer Data is minimised; elevated access is requested, approved, time-bound, and revoked when no longer needed.
  • Administrative and production access requires authentication consistent with our internal MFA requirements.
  • Access is logged and reviewed periodically, and is promptly revoked upon role change or departure.

4.6 Password Security

For local accounts, passwords are never stored in plaintext. Passwords are hashed using scrypt, a memory-hard, computationally expensive key-derivation function designed to resist brute-force and hardware-accelerated attacks, with per-credential salting.

5. Application & Infrastructure Security

5.1 Secure Software Development Lifecycle (SDLC)

Security is integrated throughout our development lifecycle. Our SDLC is designed to include:

  • Security requirements and threat consideration during design
  • Peer code review of changes prior to merge
  • Automated checks in continuous integration (CI), including linting and security tests
  • Separation between development, staging, and production environments
  • Controlled, auditable change management and deployment

5.2 Dependency and Vulnerability Scanning

We employ automated tooling designed to identify vulnerabilities in our code and dependencies, including:

  • Software composition analysis (SCA) / dependency scanning for known-vulnerable third-party packages
  • Static application security testing (SAST) of source code
  • Secret-scanning to detect inadvertently committed credentials
  • Container/image and infrastructure configuration scanning, as applicable

Findings are triaged by severity and remediated within defined service levels (see Section 6.2).

5.3 Content Security Policy and Web Hardening

The Website and Platform enforce a strict Content Security Policy (CSP) that restricts script sources to first-party, trusted origins (`script-src 'self'`, with no `'unsafe-inline'`), substantially reducing the risk and impact of cross-site scripting (XSS) and injection attacks. We additionally employ defensive HTTP response headers, which are designed to include HSTS, `X-Content-Type-Options`, `Referrer-Policy`, frame-protection (e.g., `X-Frame-Options` / `frame-ancestors`), and related controls.

5.4 Hosting Infrastructure

The Platform runs on dedicated GPU infrastructure within secure, access-controlled datacentres. These facilities operate robust physical and environmental security programs and maintain independent third-party certifications. For security reasons, Athena Agentic does not publish the specific providers, components, or locations that make up its infrastructure; a detailed description is available to customers and prospects under NDA.

We rely on these facilities for physical datacentre security, environmental controls, hardware lifecycle, and network infrastructure. Facility certifications are inherited at the infrastructure layer and do not, by themselves, constitute certification of Athena Agentic.

5.5 Network Security and Segmentation

Production environments are designed to be segmented from development, staging, and corporate environments. Network access to production resources is restricted, and database access is limited to authorised application components over encrypted connections. We leverage provider-managed network controls (including TLS termination, edge protections, and access controls) as part of our defense-in-depth posture.

5.6 Secrets Management

Application secrets (database credentials, signing keys, client secrets, API tokens) are stored as protected environment variables / secrets within our infrastructure providers and are not committed to source control. Access to secrets is restricted to authorised personnel and services. Secret-scanning in CI is designed to prevent inadvertent exposure of credentials in code.

6. Vulnerability Management & Testing

6.1 Internal Security Testing

We perform internal security testing as part of our SDLC and operations, including automated scanning (Section 5.2), code review (Section 5.1), and review of security-relevant configuration changes. Identified vulnerabilities are tracked to remediation.

6.2 Remediation Service Levels

Vulnerabilities are prioritised by severity (informed by CVSS and exploitability/exposure context) and remediated within defined timeframes. The following are target service levels, subject to confirmation:

SeverityTarget Remediation Timeframe
Critical[e.g., within 7 days, to confirm]
High[e.g., within 30 days, to confirm]
Medium[e.g., within 90 days, to confirm]
Low / Informational[e.g., risk-based / next planned cycle, to confirm]

6.3 Third-Party Penetration Testing

We engage qualified, independent third parties to conduct penetration testing of the Platform. Penetration testing is intended to validate the effectiveness of our controls from an attacker's perspective and to identify issues not surfaced by automated tooling.

  • Cadence: [cadence to confirm, e.g., at least annually and after significant architectural changes]
  • Scope: [scope to confirm, e.g., external application, authenticated application, API, infrastructure]
  • A summary of penetration test results is available to customers under NDA upon request (see Section 2.5).

6.4 Vulnerability Disclosure

We welcome reports from the security research community. Our Vulnerability Disclosure Policy describes how to report a suspected vulnerability, our commitments to good-faith researchers, and safe-harbour expectations. See /legal/vulnerability-disclosure and Section 15.

7. Logging, Monitoring & Detection

7.1 Audit Logging

The Platform maintains full audit logging of security-relevant events, designed to include authentication events, authorization decisions, administrative actions, access to sensitive resources, configuration changes, and, importantly for an agentic platform, the actions taken by autonomous agents (see Section 13). Audit records are attributable to an actor (human, service, or agent), timestamped, and retained.

7.2 Centralised Monitoring and Alerting

Operational and security telemetry is designed to be centrally collected and monitored to support availability, performance, and security objectives. Alerting is configured to notify the appropriate personnel of anomalous or security-relevant conditions, supporting timely investigation and response.

7.3 Log Protection

Access to logs is restricted to authorised personnel on a need-to-know basis. Logs are protected consistent with the data they contain, and log handling is subject to our data-minimisation and retention practices.

8. Incident Response

8.1 Incident Response Plan

Athena Agentic maintains a documented Incident Response (IR) Plan that is designed to govern the identification, triage, containment, eradication, recovery, and post-incident review of security incidents. The plan defines roles and responsibilities, communication paths, escalation, and evidence-handling expectations. The IR plan is reviewed periodically and updated based on lessons learned.

8.2 Incident Severity Model

Incidents are classified by severity to drive proportionate response and communication. The following is an illustrative model, subject to confirmation:

SeverityDescription (illustrative)Response Posture
SEV-1 / CriticalConfirmed breach of Customer Data, or critical loss of service/integrityImmediate, all-hands response; executive and customer notification per DPA
SEV-2 / HighSignificant security impact or material risk; limited or potential data exposureUrgent response; stakeholder and, where applicable, customer notification
SEV-3 / MediumContained issue with limited impact; no confirmed data exposurePrioritised response during business operations
SEV-4 / LowMinor issue or near-miss; minimal impactTracked and remediated through standard process

8.3 Customer Breach Notification

In the event of a Personal Data breach affecting Customer Data, Athena Agentic will notify affected customers without undue delay and within the timeframe specified in the applicable Data Processing Agreement (DPA). As set out in our Data Processing and International Transfers Framework, this notification timeframe shall not exceed 72 hours where practicable for breaches covered by the GDPR / UK GDPR, and the timeframe required by applicable law for other breaches.

Breach notifications will include, to the extent known at the time: the nature of the breach and the categories of data affected; the approximate number of data subjects and records affected; the likely consequences; the measures taken or proposed to address the breach; and a point of contact for further information. Customers, as controllers, are responsible for notifying their supervisory authorities and data subjects as required by law, and Athena Agentic will provide reasonable cooperation.

The DPA is the controlling document for breach-notification obligations; this Overview is a summary and does not modify the DPA.

8.4 Cooperation and Communication

During and after an incident, we are committed to clear, timely, and accurate communication with affected customers, consistent with our contractual obligations and the need to preserve the integrity of the investigation.

9. Business Continuity & Disaster Recovery

9.1 Resilience and Redundancy

The Platform is built on dedicated, redundant infrastructure that provides high-availability capabilities at the infrastructure layer. Our architecture is designed to leverage these capabilities to tolerate component failures and to support continuity of service.

9.2 Backups

Customer Data is backed up to support recovery from data loss or corruption. Backups are encrypted at rest (Section 3.3) and access to backups is restricted.

9.3 Disaster Recovery Objectives

Athena Agentic maintains business continuity and disaster recovery (BC/DR) practices designed to restore service within defined objectives following a disruptive event.

  • Recovery Time Objective (RTO): [RTO target, to confirm]
  • Recovery Point Objective (RPO): [RPO target, to confirm]

10. Personnel Security

10.1 Background Checks

Where and to the extent permitted by applicable law, Athena Agentic conducts background checks on personnel as part of the hiring process, commensurate with the role and its level of access to sensitive systems and data.

10.2 Confidentiality Obligations

All personnel and relevant contractors are bound by confidentiality obligations (e.g., via employment agreements and/or non-disclosure agreements) that require the protection of Customer Data and Athena Agentic confidential information, both during and after their engagement.

10.3 Security Awareness Training

Personnel receive security awareness training at onboarding and on a recurring basis thereafter. Training is designed to cover topics such as data handling, phishing and social-engineering awareness, secure use of systems, incident reporting, and privacy responsibilities. Personnel in engineering and security roles receive additional, role-appropriate secure-development and security training.

10.4 Onboarding and Offboarding

Access provisioning at onboarding follows least-privilege principles, and access is promptly revoked upon role change or departure as part of a defined offboarding process (see Section 4.5).

11. Sub-Processors & Supply-Chain Security

11.1 Sub-Processor Governance

Athena Agentic engages a limited set of vetted third-party sub-processors to deliver the Platform (for example, cloud hosting and managed database services). All sub-processors that process Personal Data are required, as set out in our Data Processing and International Transfers Framework, to:

  • execute data processing agreements imposing obligations at least as protective as those imposed on Athena Agentic under applicable law and customer DPAs;
  • process Personal Data only for the purposes we authorise;
  • implement appropriate technical and organisational security measures;
  • comply with applicable international transfer requirements; and
  • notify Athena Agentic of any actual or suspected Personal Data breach within applicable timeframes.

11.2 Sub-Processor Due Diligence

We conduct security and privacy due diligence on sub-processors prior to onboarding and on a periodic basis thereafter, commensurate with the sensitivity of the data they process and the criticality of the service they provide.

11.3 Sub-Processor List and Change Notice

A current Sub-Processor List is available to customers upon request, and we provide notice of additions or material changes to sub-processors through the mechanism specified in the applicable DPA, providing customers the opportunity to object where contractually provided. To request the Sub-Processor List, contact Privacy@athenaagentic.com.

11.4 Supply-Chain Security

Beyond sub-processors, we manage supply-chain risk in our software dependencies through dependency and secret scanning, controlled dependency adoption, and review of third-party components (see Section 5.2).

12. Privacy & Data Residency

12.1 Privacy Program

Athena Agentic's processing of Personal Data is described in our Privacy Policy and, for Customer Data processed on behalf of enterprise customers, in our Data Processing and International Transfers Framework and the executed DPA. We act as a data processor with respect to Customer Data and as an independent data controller with respect to Website/prospect data.

We do not sell Personal Data, and we do not use Personal Data to train AI or machine-learning models without explicit written consent.

12.2 Data Residency and International Transfers

Athena Agentic is headquartered in the United States. Personal Data may be processed in the United States and other countries where we or our sub-processors operate. For transfers of Personal Data from the EEA, UK, and other restricted jurisdictions, we rely on appropriate transfer mechanisms, including Standard Contractual Clauses (SCCs), the UK IDTA / UK Addendum, and adequacy decisions where applicable, as detailed in our Data Processing and International Transfers Framework.

12.3 Data Subject Requests

Where Athena Agentic receives a data subject rights request relating to Customer Data for which the customer is the controller, we will promptly notify the customer and provide reasonable cooperation and technical assistance, as described in our Data Processing and International Transfers Framework.

13. Responsible & Secure AI

Because the Platform performs agentic actions in security operations, including autonomous detection and response, we apply specific safeguards to ensure those actions are safe, controllable, accountable, and aligned with customer intent.

13.1 Guardrails and Bounded Autonomy

Agent actions operate within defined guardrails and policy boundaries. The scope of what an agent is permitted to do is constrained by configuration and authorization, consistent with the least-privilege and default-deny principles described in Section 4. Higher-impact actions are designed to be gated by stricter controls.

13.2 Human-on-the-Loop / Human Oversight

The Platform is designed to keep a human on the loop: customers retain visibility into agent activity and the ability to define which actions execute autonomously versus which require human review or approval. This supports appropriate human oversight of consequential decisions.

13.3 No Training on Customer Data Without Consent

Consistent with our Privacy Policy, we do not use Customer Data or Customer Content to train AI or machine-learning models without the customer's explicit written consent. Customer Data is processed to deliver the contracted services, not to improve models for other customers, absent consent.

13.4 Auditability and Reversibility

Agent actions are logged and attributable as part of our audit logging (Section 7.1), enabling customers and Athena Agentic to review what an agent did, when, and why. Where technically feasible, actions are designed to be reversible or to support rollback, and the system is intended to preserve a clear record to support investigation and accountability.

13.5 AI Governance

We are developing AI governance practices aligned with emerging best practices and frameworks (such as the NIST AI Risk Management Framework and ISO/IEC 42001) to manage risks specific to AI systems, including reliability, oversight, and accountability.

14. Shared Responsibility Model

Security of the Platform is a shared responsibility between Athena Agentic and the customer. The following table summarises the allocation. It is a guide; the Customer Agreement and DPA govern in the event of any conflict.

DomainAthena Agentic ResponsibilityCustomer Responsibility
Infrastructure & hostingSecure operation of the Platform on dedicated datacentre infrastructure; configuration of platform-layer controlsN/A
Application securitySecure SDLC, code review, vulnerability management, CSP and web hardeningPromptly applying customer-side configuration recommendations
Tenant isolationSchema-per-tenant isolation and enforcement of tenant scopingN/A
EncryptionEncryption in transit and at rest for Customer DataUsing supported, up-to-date clients/browsers; protecting data before it leaves customer systems
Identity & SSOProviding SSO (Entra/Slack OIDC), MFA support, and RBACConfiguring SSO, enforcing the customer's own MFA/conditional-access policies, and managing identity provider security
Access managementEnforcing default-deny RBAC; minimising internal accessAssigning least-privilege roles to its users; timely provisioning/deprovisioning of its personnel; safeguarding credentials
Agent autonomyProviding guardrails, oversight controls, and audit loggingConfiguring autonomy levels, approval workflows, and guardrails appropriate to the customer's risk tolerance
Data input & contentProcessing Customer Data per instructions; not using it to train models without consentEnsuring lawful basis for data it submits; data minimisation at the source; accuracy and legality of inputs
Account securitySession security; secure authentication mechanismsStrong authentication, protecting accounts/API tokens, promptly reporting suspected compromise
MonitoringMonitoring Platform infrastructure; audit loggingMonitoring its own use, reviewing tenant audit logs, and acting on alerts within its environment
Backups & continuityPlatform-level backups and DR for Customer DataRetaining its own records as required and exporting data as needed
ComplianceMaintaining the Platform's security program; providing documentation under NDACustomer's own regulatory compliance for its use of the Platform and the data it processes

15. Reporting & Contact

15.1 Reporting a Security Vulnerability or Incident

If you believe you have discovered a security vulnerability, or you suspect a security incident affecting Athena Agentic or your use of the Platform, please contact us promptly:

We will acknowledge legitimate reports and work in good faith with reporters in accordance with our Vulnerability Disclosure Policy. Please do not include sensitive exploit details in an initial unencrypted email beyond what is necessary to enable secure follow-up.

15.2 Requesting Security & Trust Documentation

To request security documentation, including, when available, our SOC 2 report, ISO/IEC 27001 certificate, penetration test summary, completed security questionnaires (e.g., CAIQ/SIG), the Sub-Processor List, or a DPA, please contact:

  • Trust documentation & questionnaires: security@athenaagentic.com (subject: "Trust Documentation Request")
  • Sub-Processor List & privacy/DPA requests: Privacy@athenaagentic.com
  • Legal & contractual inquiries: Legal@athenaagentic.com

Non-public materials are provided to customers and qualified prospects under an NDA.

15.3 Related Documents

Source of truth: /docs/legal/SecurityOverview.md  ·  All legal documents