Security and governance

Security built for autonomous delivery

Coroid runs AI engineering work in controlled, observable environments with scoped repository access, encrypted data handling, and audit-friendly records for every delivery decision.

Workspace isolation

Agent work happens in isolated cloud workspaces, separated from customer networks and production systems.

Scoped access

Repository and service credentials are scoped to the project and stored through encrypted configuration paths.

Decision trail

Tasks, reviews, approvals, and lane pull requests keep a durable record of what changed and why.

Operational baseline

Monitoring, image scanning, backups, and recovery runbooks are part of the production operating model.

Identity and access control

Authentication is centralised through the gateway and supports user tokens, service tokens, and API keys for integration scenarios.

  • JWT-based user sessions for portal access
  • Service-to-service tokens with managed rotation
  • API key support for external integrations
  • Flexible guards for user, service, and mixed-access endpoints

Controlled execution environments

Autonomous work runs away from your local machines and internal network, with runtime isolation as a first-order design concern.

  • Cloud workspaces isolate task execution from customer infrastructure
  • Ephemeral execution architecture is the target for untrusted command isolation
  • Runtime workspaces are separated by project and organisation boundaries
  • Merge gates keep production changes behind explicit policy

Data protection

Coroid is database-first, encrypted by default for sensitive configuration, and aligned with EU hosting requirements on the public cloud service.

  • Encryption for data in transit and at rest
  • Encrypted storage for sensitive configuration values
  • EU hosting profile for GDPR-sensitive teams
  • Scoped repository access instead of broad organisation-wide credentials

Production operations

The platform is operated with monitoring, scanning, and disaster-recovery practices expected by enterprise engineering teams.

  • SBOM and container image scanning in CI
  • HTTPS-only public endpoints with TLS termination
  • Automated database snapshots and restore runbooks
  • Prometheus, Grafana, Loki, and GlitchTip-backed observability

Audit-ready delivery records

Coroid is designed to explain autonomous changes in the language engineering leaders, reviewers, and security teams already use.

Specifications, agent activity, reviews, and approval decisions stay connected
Lane pull request history shows the final evidence before code is merged
Security, dependency, coverage, visual, E2E, and browser-test evidence can be attached to reviews
SOC 2 is a readiness target, not a current certification

Enterprise review

Bring security into the first conversation.

Share your repository, data-residency, and deployment constraints. Coroid can map them to the right cloud, EU, or enterprise operating model.