Security at Swirls
Swirls is entrusted with sensitive information, both from our users and their customers. As a provider of agentic infrastructure, we are committed to ongoing improvements in our security practices to meet high standards and expectations.
Attacks we considered, and what stops them.
Agents call external APIs, hold secrets, pass data between nodes, and invoke other agents. Each row is an attack on one of those surfaces and the control that prevents it.
Layers of enforcement.
Every agent's authority is derived through five levels. Each level can only add restrictions to the one above it. Taking a restriction back would mean reversing a hash, so the token either verifies against your workflow or it doesn't.
Its own derived keys. One org can't touch another's data.
workspace=acme-corp, expires=<ts>Binds the hash of your compiled workflow. Change it and the token dies.
deployment_id=dep_xyz, workflow_hash=sha256:a1b2c3...One run only. Random nonce, short expiry.
execution_id=run_001, nonce=<csprng>, expires=<+1h>Where an agent runs. Its declared tools and secrets, nothing else.
node_id=classify, allowed_tools=search, allowed_secrets=API_KEYOne call. Endpoint and resource limited.
tool_id=search, allowed_endpoints=api.example.comZero stored key material.
Keys are derived the moment they are needed and discarded right after. Nothing is written to the database, so there is nothing there to steal. Each node gets its own encryption context, and rotating a key is an O(1) operation that leaves your data ciphertext untouched.
Derived, not stored
HKDF-SHA512 produces key material on demand. Zeroed from memory after use.
Envelope encryption
Two-layer AES-256-GCM. Rotating the key encryption key is O(1). Data ciphertext is unchanged.
Stateless scaling
Any server instance derives the same keys. No synchronization, no shared state, no single point of failure.
Every node only sees what it needs.
Swirls derives the minimum set of secrets authorized by each node's token. The workflow definition declares which secrets each node needs. The runtime enforces it cryptographically. A code node that processes data never sees the API keys the upstream agent uses.
Nothing can be changed without leaving a trail
Every action an agent triggers, from key derivation to decryption to tool calls, is written to an append-only log. Each entry carries the hash of the one before it, so changing, deleting, or reordering any entry breaks the chain. You can export the log and verify it yourself.
The primitives.
The whole stack is symmetric and hash-based. Here is every primitive we use.
Where we are.
Swirls is a pre-launch platform. We are transparent about our current compliance posture rather than making claims we cannot back up.
SOC 2 Type II
Targeting 2027. We are building with SOC 2 controls from day one rather than retrofitting after the fact.
Data residency
Workflow data is encrypted and stored in the region you deploy to. Self-hosted deployments give you full control over data location.
Subprocessors
Swirls connects to LLM providers you configure. We do not send workflow data to any third party beyond the providers specified in your workflow definition.
Data retention
Encrypted workflow data and derived key material is deleted within 30 days of account termination. See our Privacy Policy for the full retention schedule.
Security contact.
For security inquiries, vulnerability reports, or to request our security overview document, contact us at [email protected]. We respond to security reports within 48 hours.
Ship your first client.
Author .swirls files. Deploy free to inspect your project in Swirls Cloud.