Defense in Depth
Security is layered across identity, application boundaries, data access, and execution isolation to reduce blast radius and increase resilience.
Trust Center
Enterprise Trust Center for AI Automation
Security, compliance, and data protection.
Security by Design
Enterprise-grade security embedded in the control plane and execution model.
Bot Velocity is built with security as a first-class architectural concern. Isolation boundaries, access control, auditability, and data protection are designed into the platform—so security posture scales with usage, not with ad-hoc operational work.
The platform supports enterprise deployment needs through high-level topology options, while maintaining consistent governance and isolation concepts across environments. See the multi-tenant isolation architecture for technical details.
Least Privilege
Access is role-based and scoped to organizational boundaries. Privileged operations are restricted and auditable by default.
Audit Everything
Administrative actions and execution events are recorded for traceability and governance reviews.
Data Protection by Default
Data is protected in transit and at rest, with credential handling designed to minimize exposure and support least-privilege access.
Multi-Tenant Isolation
Every artifact is tenant- and folder-scoped. Cross-tenant access is impossible by design.
Bot Velocity is designed for multi-tenant operation with clear boundaries between customers and between organizational domains. Isolation is applied consistently across management operations, stored artifacts, and execution workflows.
The goal is simple: teams can standardize on one control plane without collapsing security boundaries or introducing cross-tenant risk.
Data boundaries
Processes, runs, tools, and configuration are scoped to a tenant and organizational unit. Access is evaluated in-context, and cross-tenant access is not permitted.
Operational boundaries
Administrative actions are scoped and audited. High-impact operations are restricted to appropriate roles and remain traceable for governance reviews.
Tool boundaries
Tool integrations can be scoped to organizational domains so teams can share capabilities safely without exposing sensitive configuration across boundaries.
Access Control & RBAC
Role-based access scoped to organizational boundaries.
Bot Velocity uses role-based access control to manage permissions across workflows, execution history, configuration, and operational capabilities. Roles can be assigned at the tenant level and scoped to organizational domains where appropriate.
The model is designed for enterprise governance: least privilege by default, explicit elevation for sensitive operations, and clear separation between administrative responsibilities and day-to-day development and operations.
Role model
Roles align to common enterprise responsibilities (administration, development, operations, and read-only access). Access is evaluated in context and reflected in audit records for traceability.
Authentication
The platform supports standard authentication patterns for the web UI, APIs, and execution agents. Credential handling is scoped and controlled to support least-privilege access and operational safety.
Encryption & Data Protection
Protecting data and credentials without leaking implementation detail.
Data protection is applied in transit and at rest. Sensitive values such as credentials are stored encrypted and are not exposed through logs or routine operational views.
Access to secrets and sensitive configuration is restricted to authorized roles and designed to minimize accidental exposure. Where possible, secrets are handled as protected values and surfaced only when explicitly needed for execution.
In transit
Communication between clients, the control plane, and execution agents is protected using secure transport protocols.
At rest
Platform data and credentials are protected with encryption and access controls aligned to enterprise expectations.
Credential handling
Credentials are handled with least-privilege principles and are designed to avoid exposure in application logs and user interfaces.
Execution Isolation
Isolated execution to reduce blast radius and support reliable operations.
Workloads are executed in isolated contexts so one execution does not implicitly gain access to another. This separation supports operational safety, reduces the impact of failures, and keeps execution behavior predictable.
The execution model is designed to support both deterministic automation and agent-style workloads while maintaining consistent governance boundaries.
Audit & Monitoring
Visibility for governance, investigations, and operational assurance.
Audit logging
Administrative actions, configuration changes, authentication events, and execution lifecycle events are recorded for traceability. Logs are designed to support enterprise governance without exposing sensitive values.
Operational monitoring
The platform is monitored for reliability and security signals such as abnormal access patterns and execution anomalies. Monitoring is paired with auditability so investigations can be grounded in recorded events.
Data Privacy Commitments
Clear commitments on collection, access, and retention.
What We Collect
- Account information (name, email, company)
- Usage data (API calls, job metrics, performance)
- Audit logs (authentication, configuration changes)
- Execution traces (spans, logs, costs)
What We Don't Collect
- Automation code content (stored only in tenant scope)
- Input/output parameters (unless opted-in for evaluation)
- Customer business data (not accessed by Bot Velocity staff)
- Secrets/credentials in plaintext (always encrypted)
Retention and access
Data retention is limited to what is required for platform operation and governance, and can be aligned to enterprise requirements where appropriate. Access to production tenant data is restricted and handled through controlled, auditable processes.
Vulnerability Disclosure
A responsible path for reporting and remediation.
If you believe you’ve found a security issue, we ask that you report it responsibly. We work with researchers and customers to verify findings, assess impact, and remediate in a controlled way.
How to report
Email security@botvelocity.com with a description, reproduction guidance, and impact assessment. Include a way to contact you for follow-up questions.
What to expect
We will acknowledge receipt, investigate, and coordinate remediation. When appropriate, we support coordinated disclosure practices that prioritize customer safety.