Security Policy

You are always in control

Pucho does not access your workflow data, prompts, or Agent context unless you explicitly allow it for support.

We do NOT train any models on your data

Your workflow inputs, messages, documents, and context are never used to train any LLM — not ours, not third-party models.

Your data belongs 100% to you

You can export, delete, or wipe your data from Pucho at any time.

Each company gets a fully isolated environment

Your workflows, logs, credit usage, and storage are kept separate from every other tenant.

Agents run in secure sandboxes

Every Agent executes inside its own isolated container:

• No cross-workflow access
• No shared memory
• No shared prompts
• No access to other customers’ tools or keys

Context redaction by default

Sensitive values (tokens, keys, passwords, medical info, personal records) can be automatically masked from:

• Agent logs
• UI displays
• Debug panels

This prevents accidental info exposure.

All secrets are encrypted

Any API keys or tokens you store (WhatsApp, Tally, Zoho, OpenAI, Razorpay, ClickUp, Slack etc.) are encrypted with:

• AES-256 at rest
• TLS 1.2+ in transit

Scoped credential access

Credentials are only available inside the workflow and node that uses them — not globally across your company.

Bring Your Own Model Key (BYOK)

If you use OpenAI, Gemini, Claude, Groq, or other model providers:

• Your key calls the LLM directly
• Pucho does NOT see or log your content
• No data is stored after execution

Pucho supports MCP to connect external tools securely.

Security built into MCP

• Every MCP server connection is authenticated
• Each tool request is scoped to the workflow
• Access can be revoked instantly
• Data shared between Agents is always encrypted

This ensures cross-agent reasoning stays private and isolated.

Hosted on industry-leading cloud providers

Pucho runs on certified infrastructure with:

• SOC 2
• ISO 27001
• ISO 27701
• Tier IV data centers
• Redundant networking & failover

Encryption Everywhere

• Data in transit: TLS 1.2+
• Data at rest: AES-256

Strict environment separation

• Dev
• Staging
• Production

Each is isolated with separate credentials, networks, and keys.

Role-Based Access Control (RBAC)

Admins can set:

• Builder access
• Viewer access
• Workflow-only access
• Agent-only access
• Credit usage controls

Multi-Factor Authentication (MFA)

Protects accounts even if passwords leak.

Enterprise SSO (SAML/SCIM)

Available in the Enterprise plan for:

• Google Workspace

Activity Logs

Every action is logged:

• Workflow runs
• Credit consumption
• Trigger execution
• Agent actions
• API calls
• Errors

Audit Trail (Business & Enterprise)

Track exactly:

• Who ran what
• Who changed what
• When data moved

Real-time Monitoring

Suspicious behavior automatically triggers alerts.

Incognito Mode

Run sensitive workflows without storing:

• Inputs
• Outputs
• Logs
• Agent messages

Data minimization

We only store what is necessary to run your workflows.

• Only the workflow using those credentials can access them
• Pucho never reads or exposes data from your other connected tools
• secure hosting inYou can revoke access instantlyfrastructure

Dedicated deployment options

• Fully isolated VPC
• Dedicated Kubernetes cluster
• Private networking
• Custom IAM roles
• Private LLM connections
• Customer-managed encryption keys

On-premise compatible

Pucho can be deployed inside your infrastructure for fully private automation.

24/7 system monitoring

We continuously monitor for:

• Intrusion attempts
• Abnormal API calls
• Anomalous Agent behavior

Rapid incident handling

If anything unusual is detected:

• Containment
• Investigation
• Root cause analysis
• Full transparent report

All executed under strict timelines.