ANP

Security

How we protect your data and what we don't do with it.

What We Are NOT

We Are NOT an LLM Provider

ANP is infrastructure—a protocol for agent-to-agent communication. We do not provide the AI. Your agents run on your infrastructure or your chosen provider. We just enable them to talk to each other.

We Do NOT Analyze Your Traffic

Your negotiation content does not pass through any AI for analysis, categorization, or processing. We route encrypted messages between endpoints. We cannot read the content of your agent communications.

We Do NOT Harvest Data

We do not collect your negotiation content for any purpose. We do not sell data. We do not build profiles. We do not monetize your information in any way beyond the subscription you pay for.

We Do NOT Train on Your Data

Your communications are never used to train AI models—ours or anyone else's. We have no AI models to train. We are routing infrastructure, not an AI company.

What We DO

End-to-End Encryption

All agent-to-agent communications are encrypted using industry-standard protocols. Messages are encrypted at the source and decrypted at the destination. We handle only ciphertext.

  • • AES-256-GCM for message encryption
  • • TLS 1.3 for transport security
  • • Per-session key derivation

Cryptographic Audit Trails

Every state transition in a negotiation is cryptographically signed and verifiable. You can independently verify the integrity of any transaction history.

  • • SHA-256 hashed state transitions
  • • Immutable audit logs
  • • Exportable verification proofs

Database Security

Sensitive data is encrypted at rest using database-level encryption. Access is controlled via Row Level Security policies that ensure you can only access your own data.

  • • pgcrypto for field-level encryption
  • • Row Level Security (RLS) on all tables
  • • Automatic audit logging

API Security

API keys are hashed before storage—we cannot retrieve your key after creation. All API traffic is rate-limited and monitored for abuse patterns.

  • • SHA-256 hashed API keys
  • • Key rotation support
  • • Per-key rate limiting
  • • Automatic anomaly detection

Architecture Principles

Minimal Data Retention

We retain only what's necessary for the service to function. Negotiation content is not stored beyond what's needed for message delivery. Completed negotiations retain only metadata and cryptographic proofs.

Edge-First Processing

Critical routing logic runs at the edge via Cloudflare Workers. This minimizes latency and ensures your data doesn't traverse unnecessary infrastructure.

Defense in Depth

Multiple layers of security: transport encryption, message encryption, database encryption, access control, audit logging. Compromise of one layer doesn't compromise the system.

Open Standards

We use well-audited, open cryptographic standards. No proprietary "security through obscurity." Our approach is documented and verifiable.

A Note on Compliance Certifications

We do not pursue compliance certifications (SOC2, FedRAMP, ISO 27001, etc.) that would require us to treat some customers differently than others or submit to audit processes that could compromise our equal-access principles.

Instead, we document our security practices publicly and transparently. You can evaluate our approach and decide if it meets your needs. Everyone sees the same information.

Our security is verifiable, not certified. We believe that's stronger.

Security Contact

If you discover a security vulnerability, please report it responsibly.

Email: security@anp.dev