Security Practices

Last updated: March 6, 2026

At Optima Engineering LLC ("Optima," "we," "us," or "our"), we are committed to protecting the security of the Kraken AI platform and the data our customers entrust to us. This page provides an overview of our security practices and safeguards. For contractual security commitments, please refer to Section 8 of our Master Cloud Services Agreement and our Data Processing Agreement.

1. Infrastructure Security

Our platform infrastructure is hosted on Amazon Web Services (AWS), leveraging enterprise-grade cloud security controls.

  • Encryption in transit: all data transmitted between clients and our services is encrypted using TLS 1.2 or higher.
  • Encryption at rest: all stored data, including Customer Data, is encrypted at rest using AES-256 encryption.
  • Network segmentation: our infrastructure employs network segmentation and access controls to isolate services and limit the blast radius of potential incidents.
  • Infrastructure as code: infrastructure configurations are managed through version-controlled, auditable deployment processes.

2. Application Security

We integrate security throughout our software development lifecycle.

  • Secure development lifecycle: security considerations are incorporated from design through deployment, including threat modeling for new features.
  • Dependency scanning: automated scanning of dependencies for known vulnerabilities, with continuous monitoring for newly disclosed issues.
  • Code review: all code changes undergo peer review before merging, with security-sensitive changes receiving additional scrutiny.
  • Security assessments: regular security assessments and penetration testing to identify and remediate vulnerabilities.

3. Access Controls

We enforce strict access controls across our organization and platform.

  • Role-based access control (RBAC): access to systems and data is granted based on job function and the principle of least privilege.
  • Multi-factor authentication: MFA is required for all internal access to production systems and administrative tools.
  • Principle of least privilege: employees and systems are granted the minimum access necessary to perform their functions.
  • Regular access reviews: access permissions are reviewed periodically and revoked promptly upon role changes or offboarding.

4. Data Protection

We implement multiple layers of protection for Customer Data.

  • Customer data isolation:our multi-tenant architecture employs logical separation to ensure that each customer's data is isolated and inaccessible to other customers.
  • Data retention and deletion: Customer Data is retained and deleted in accordance with our Data Processing Agreement and applicable customer agreements.
  • No use for model training: we do not use Customer Data or Outputs to train, fine-tune, or improve machine learning models (per Section 5.5 of our Master Cloud Services Agreement).
  • Backup and disaster recovery: Customer Data is backed up regularly with procedures in place for recovery in the event of data loss or service disruption.

5. Incident Response

We maintain dedicated incident response procedures to detect, contain, and remediate security events.

  • Incident response plan: a documented incident response plan defines roles, responsibilities, escalation procedures, and communication protocols.
  • Security incident notification: in the event of a confirmed Security Incident affecting Customer Data, we will notify affected customers without undue delay and in no event later than seventy-two (72) hours, as specified in Section 8.3 of our Master Cloud Services Agreement.
  • Post-incident analysis: following any security incident, we conduct a thorough root cause analysis and implement corrective measures to prevent recurrence.

6. Compliance

We maintain commercially reasonable administrative, physical, and technical safeguards consistent with industry standards to protect Customer Data.

  • Data protection: our data protection practices are detailed in our Data Processing Agreement and Privacy Policy, which address GDPR, CCPA/CPRA, and other applicable data protection regulations.
  • Subprocessors: we maintain a current list of subprocessors and provide advance notice before engaging new subprocessors.
  • Audit reports: specific compliance certifications and audit reports are available to enterprise customers under NDA upon request.
  • Certification roadmap: we are building toward formal certification programs as part of our commitment to continuous improvement of our security posture.

7. AI-Specific Security

As an AI Agent Harness Platform, we implement security controls specific to AI agent operations.

  • Agent sandboxing and isolation: agents operate within controlled execution environments with defined resource boundaries and permission scopes.
  • Guardrail enforcement: the platform enforces configurable safety guardrails that constrain agent behavior according to customer-defined policies.
  • Automated security scanning: skills, plugins, and third-party content undergo automated security scanning to detect potential threats before deployment.
  • Human-in-the-loop controls: the platform supports configurable approval workflows and kill-switch controls for high-risk agent operations, ensuring human oversight where needed.

8. Reporting Vulnerabilities

We appreciate the work of security researchers in helping us maintain the security of our platform. If you discover a potential security vulnerability, please report it responsibly to security@optima.engineering. We will acknowledge receipt within two business days and work to investigate and address confirmed vulnerabilities promptly.

For questions about our security practices, please contact security@optima.engineering. For enterprise customers with specific security requirements, security commitments are addressed in individually negotiated agreements.