steerdev

trust center

last updated: April 2026

1. our posture

steerdev is operated by Pento Group LLC, Delaware, United States. we build an agent orchestration platform that handles customer source code and credentials, which means our security posture is part of the product. this page describes the controls we operate today, the certifications we are working toward, and how we handle incidents and disclosures.

2. compliance roadmap

we are early in our journey and we prefer to publish commitments rather than claims. no third-party audit report is available yet. our current targets are:

  • SOC 2 Type II — audit in progress, Type I report targeted within the current fiscal year, Type II observation window immediately thereafter
  • ISO/IEC 27001 — information security management system, targeted for certification within 12 months of SOC 2 Type II
  • ISO/IEC 42001 — artificial intelligence management system, targeted as a follow-on to ISO 27001

we will publish each certificate here when it is issued. enterprise customers under NDA may request our current policy and control documentation at security@steerdev.com.

3. data protection

  • encryption in transit with TLS 1.2 or later
  • encryption at rest with AES-256
  • key management via AWS KMS with customer-level key separation
  • per-tenant isolation of vector stores, embeddings, and derived artifacts
  • server-side secret and PII redaction before code is embedded or transmitted to any third-party inference provider
  • continuous backups on a 90-day rolling window with tested restore procedures

4. access controls

  • SSO and SAML 2.0 supported for enterprise plans (Okta, Azure AD, Google Workspace)
  • SCIM provisioning and deprovisioning
  • role-based access control with least-privilege defaults
  • MFA required for administrative access
  • comprehensive audit logs exportable to your SIEM via API
  • internal access to production is limited to on-call engineers, brokered through short-lived credentials, and logged

5. agent safety and deterministic controls

AI agents are probabilistic. our safety model puts deterministic guardrails around them, operating independently of the underlying language model:

  • sandboxed execution — agents run inside isolated virtual machines and containers with strict egress rules
  • command risk classification — proposed terminal and infrastructure actions are classified as low, medium, or high risk. low-risk commands run directly; high-risk commands (destructive filesystem operations, force-push, irreversible database changes) are blocked or require explicit human approval
  • secret redaction — credentials, tokens, and private keys are stripped from code, prompts, error traces, and analytics events before they leave our infrastructure
  • organization policy overrides — admins may tighten the defaults for their organization but cannot loosen them below the platform minimum
  • blast-radius controls — agent sessions carry per-run token budgets, scope limits, and timeouts enforced outside the model

6. zero-training commitment

steerdev does not use your code, prompts, derived artifacts, or agent output to train, fine-tune, or improve any AI model. our contracts with every inference provider require the same. this applies across all plan tiers, without an opt-out. the full list of providers bound by this commitment is published at /privacy/subprocessors.

7. incident response

we run a documented incident response process with defined severity tiers, on-call rotations, and post-incident reviews. in the event of a personal data breach affecting your organization, we will notify you without undue delay and in any case within 72 hours of confirmation, including the nature of the incident, the data affected, the steps we have taken, and the steps we recommend. our primary contact for security incidents is security@steerdev.com.

8. responsible disclosure

we welcome reports from security researchers. if you believe you have found a vulnerability, please email us at security@steerdev.com with reproduction steps. we will acknowledge within 3 business days.

in scope: production steerdev surfaces (web app, API, CLI, and official integrations). out of scope: denial of service, social engineering of our employees, physical attacks, and third-party systems we do not control.

safe harbor: we will not pursue legal action for good-faith research that complies with this policy, avoids accessing customer data, and gives us reasonable time to remediate. we do not currently run a paid bounty program; we will update this page when we do.

9. subprocessors

the current list of subprocessors, including what they process, where, and under which legal basis, is published at /privacy/subprocessors. we provide at least 30 days' advance notice before adding a new subprocessor that will process Customer Data.

10. data processing agreement

enterprise customers may execute a Data Processing Agreement with Pento Group LLC covering GDPR Standard Contractual Clauses (with the UK International Data Transfer Addendum where applicable), LGPD, and CCPA obligations. request a copy at legal@steerdev.com.

11. contact

for security questions: security@steerdev.com. for privacy questions: privacy@steerdev.com. for legal and procurement: legal@steerdev.com.