> ## Documentation Index
> Fetch the complete documentation index at: https://adapt.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Security Overview

> How Adapt protects your data and keeps your business secure

Security is foundational to Adapt. We protect your data with enterprise-grade security measures and transparent practices.

## Security Principles

<CardGroup cols={2}>
  <Card title="Defense in Depth" icon="layer-group">
    Multiple layers of security controls protect your data at every level
  </Card>

  <Card title="Least Privilege" icon="lock">
    Access is limited to only what's necessary for each function
  </Card>

  <Card title="Zero Trust" icon="shield-check">
    Every request is authenticated and authorized, regardless of source
  </Card>

  <Card title="Transparency" icon="eye">
    Clear documentation of our security practices and audit trails
  </Card>
</CardGroup>

## Security Architecture

### Infrastructure

| Layer           | Protection                                      |
| --------------- | ----------------------------------------------- |
| **Network**     | VPC isolation, firewall rules, DDoS protection  |
| **Compute**     | Containerized workloads, isolated execution     |
| **Data**        | Encryption at rest and in transit               |
| **Application** | Authentication, authorization, input validation |

### Data Flow

```
Your Tools → Encrypted Connection → Adapt Platform → Encrypted Storage
                    ↓
              Isolated Sandbox
              (Code Execution)
```

All data flows through encrypted channels and is processed in isolated environments.

## Compliance

<CardGroup cols={2}>
  <Card title="SOC 2 Type II" icon="certificate" href="/security/soc2-compliance">
    Certified across Security, Availability, and Confidentiality
  </Card>

  <Card title="Data Encryption" icon="lock" href="/security/data-encryption">
    Data is encrypted in transit and at rest
  </Card>
</CardGroup>

### Monitoring & Audit

* **Comprehensive logging**: All access and actions logged
* **Audit trails**: Immutable records for review
* **Anomaly detection**: Automated security monitoring
* **Incident response**: Defined procedures for security events

## Secure Execution

When Adapt runs code on your behalf:

* **Isolated containers**: Each execution in its own sandbox
* **Network controls**: Restricted outbound access
* **Resource limits**: Bounded CPU, memory, and time

## Responsible AI

### Data Usage

* Your data is **never used to train AI models**
* Queries are processed in isolated sessions
* No data sharing between organizations

### AI Transparency

* You can see what tools Adapt used
* Query history is available for review
* Actions require explicit approval

## Reporting Security Issues

If you discover a security vulnerability:

1. **Email**: [security@adapt.com](mailto:security@adapt.com)
2. **Include**: Description, steps to reproduce, potential impact
3. **Response**: We'll acknowledge within 24 hours

We appreciate responsible disclosure and work quickly to address issues.

## How We Classify and Respond

We acknowledge every security report within 24 hours. Once a report is triaged, we assign it a severity tier based on impact and exploitability, which sets the target timeline for a fix or mitigation that we communicate back to the reporting party:

* **Critical** — actively exploitable issue that could lead to broad data exposure, account takeover, or full system compromise. Target remediation within 7 days.
* **High** — serious vulnerability with significant impact but limited scope or requiring specific conditions to exploit. Target remediation within 30 days.
* **Medium** — moderate-impact issue with meaningful but contained risk, or one that requires unlikely preconditions. Target remediation within 90 days.
* **Low** — minor issue with limited security impact or low likelihood of exploitation. Target remediation in the next planned release cycle.

Timelines are targets, not guarantees. We keep reporters updated on progress and may accelerate or adjust based on real-world risk. We appreciate responsible disclosure and ask that you give us a reasonable window to remediate before any public disclosure.

## Out of Scope

Not every report describes a vulnerability we'll act on. Some behaviors are intentional, low-risk, or fall outside what we can meaningfully fix. We may close these as **won't fix**, and we'll explain why. Common examples:

* Best-practice or hardening suggestions with no demonstrated, exploitable impact (for example, missing security headers, cookie flag nitpicks, or TLS configuration preferences).
* Reports generated solely by automated scanners without a working proof of concept.
* Self-XSS, or issues that require tricking a user into pasting code or running commands against their own account.
* Missing rate limiting or brute-force protection on endpoints with no sensitive impact.
* Clickjacking on pages with no sensitive, state-changing actions.
* Email configuration findings (SPF, DKIM, DMARC) absent a concrete spoofing exploit.
* Denial-of-service or volumetric attacks.
* Social engineering, phishing, or physical attacks against our team, our users, or our facilities.
* Issues that require a compromised device, a rooted or jailbroken OS, an outdated browser, or a privileged man-in-the-middle position.
* Intended product behavior — for example, Adapt running user-provided code inside its isolated, sandboxed execution environment, or an organization administrator accessing data within their own organization.

If you believe an out-of-scope item is actually exploitable in a way we've missed, tell us how. A concrete proof of concept will always get a fresh look.
