TL;DR
Evaluate AI agent security across five dimensions: data residency (EU vs US), encryption (at rest and in transit), model training policies (never train on your data), access controls (RBAC, SSO), and compliance alignment (SOC 2, GDPR, ISO 27001). Never deploy an AI agent that trains on your customer conversations.
Your CX team wants to deploy an AI agent. Your security team wants to understand the risk. This guide bridges the gap with the technical detail your CISO needs.
Data flow and handling
Understand exactly where customer data goes. In Certainly's architecture, conversation data is processed in real time within the EU. Data at rest is encrypted with AES-256. Data in transit uses TLS 1.3. No customer data is used for model training.
Access control
Role-based access control (RBAC) is essential. Certainly supports configurable roles: admin, editor, viewer. SSO integration via SAML 2.0 ensures authentication follows your existing identity provider. Multi-factor authentication is supported.
Model provider security
When conversations are processed by AI models, data is sent to the model provider's API. Certainly supports EU-region API endpoints where available. Data processing agreements cover all model providers in the chain.
AI Readiness Score
How ready is your team for AI?
6 quick questions. Get a personalised score and action plan.
Try the AI Readiness Score1000+ agents deployed worldwide 路 4.8 on G2
Audit and logging
Every conversation is logged with full audit trail: timestamps, user identifiers, model used, actions taken, and escalation events. Logs are retained per your configured retention policy and can be exported for compliance reporting.
Incident response
Certainly maintains an incident response plan with defined severity levels, notification timelines, and escalation procedures. Contractual SLAs define response times and credit mechanisms for any breach of uptime commitments.
The vendor assessment checklist
When evaluating any AI agent platform, verify: EU data residency, no model training on customer data, SOC 2 alignment, GDPR compliance with signed DPA, RBAC with SSO, full audit logs, defined incident response, and contractual uptime SLA.
