Security
Security at Agentiv
Agentiv connects to your team's inboxes and calendars. This page sets out exactly how that access works, where the boundaries sit, and what we will and won't do with your data.
Architecture
Where your data lives and how it's protected
- Database
- Your data lives in a PostgreSQL database hosted by Supabase, our managed database provider.
- Access control
- Row-level security policies enforce team and member boundaries inside the database itself. Access rules are applied at the data layer, not just hidden in the interface.
- In transit
- All traffic between your browser and Agentiv is encrypted over TLS (HTTPS).
- At rest
- Data is encrypted at rest by our database provider using AES-256.
- Infrastructure certifications
- Agentiv runs on infrastructure providers that hold SOC 2 Type II and ISO 27001 certification (Supabase, Vercel and Google Cloud). Their compliance documentation is available on request.
- Australian compliance
- We handle personal information in line with the Australian Privacy Principles under the Privacy Act 1988 (Cth), including the Notifiable Data Breaches scheme.
- Independent certification
- Independent certification of Agentiv itself is on our roadmap as the platform scales.
Access model
Boundaries enforced in the database, not the interface
- Roles
- Two roles: leader and member. Leaders see the team's business data — pipeline, listings, open homes, contacts, contracts, targets.
- Per-tab permissions
- Each member is granted specific tabs, with view or edit rights per tab. A new assistant can have listings and open homes without ever seeing the contracts area.
- Private communications
- Each member's email, messages and calendar are readable by that member only. Leaders cannot read another member's communications. This is enforced by database policy, not by interface hiding.
- Invitations
- Members join by invitation from the team leader and receive exactly the access the leader grants, from the first login.
Connected accounts
OAuth, scoped and revocable
- OAuth
- Google account connections (Gmail, Google Calendar) use OAuth. You grant access from your own Google account; Agentiv never sees your password.
- Managed connections
- Google OAuth connections are brokered by Composio, a managed OAuth provider, which stores and refreshes connection tokens.
- Revocation
- You can revoke Agentiv's access from your Google account settings at any time. Disconnecting an account stops its sync immediately.
- Scopes
- Each integration requests only the scopes it needs for its stated function. The integrations page lists what each connection reads and writes.
Sub-processors
The services that process data on Agentiv's behalf, and what each one does.
| Provider | Purpose |
|---|---|
| Supabase | Database, authentication |
| Vercel | Application hosting |
| Composio | Managed OAuth for Google connections |
| Gmail and Google Calendar APIs (your connected accounts) | |
| Microsoft | Outlook mail access (your connected accounts) |
Data lifecycle
What we keep, and how you leave
- What we store
- Business records your team creates (pipeline, listings, open homes, contacts, contracts, targets) and synced items needed to run your modules, such as parsed enquiries and calendar events.
- Offboarding
- When you leave, you can request an export of your team's data, followed by deletion. Deletion requests are actioned on written request to our contact address.
- No resale
- Your data is not sold, shared with advertisers, or used to train AI models.
Incident response
If something goes wrong
- 1. Contain
- Isolate the affected system and stop ongoing exposure.
- 2. Assess
- Establish what data was involved and which customers are affected.
- 3. Notify
- Notify affected customers without undue delay, consistent with the Australian Notifiable Data Breaches scheme.
- 4. Remediate
- Fix the cause, document the incident, and report what changed.
Responsible disclosure: if you believe you've found a security issue, email info@agentiv.com.au. Our security.txt carries the same contact.
Ask the hard questions in the demo.
Access, boundaries, offboarding: bring your IT-cautious questions and get direct answers.