The Itential Platform
The agentic operations platform for infrastructure teams.
Platform Overview
CAPABILITIES
DEVELOPER RESOURCES
Our Customers
See why top organizations choose Itential
Learn More
INDUSTRIES
CASE STUDIES
Customer Stories
Lumen’s Network Automation Journey: From Manual Workflows to AI-Assisted Autonomy
Customer Stories
How Southern California Edison Is Automating the Grid for an AI-Driven Future
Latest News
Itential unveils FlowAI, delivering agentic orchestration for infrastructure operations.
Learn More
Company
Partners
Featured Partner
KNOWLEDGE HUB
Explore all Resources
SEARCH BY TYPE
FEATURED RESOURCES
Analyst Reports
451 Research: Autonomous, Governed AI for Enterprise Infrastructure Operations
Blogs
Why Agent Sprawl Is the Next Script Sprawl
Podcasts
Operator to Agent Manager: Network Engineering’s Future | Ship AI
Itential logo
Security & Trust

Itential Trust Center

Protecting the confidentiality, integrity, and availability of customer data is a top priority at Itential. This Trust Center documents our compliance posture, security practices, and how the platform governs AI-initiated actions securely.

Read Security Practices
Compliance & Privacy

How Itential Meets Compliance & Privacy Standards

Itential’s cloud-native platform has achieved SOC 2 Type 2 compliance, audited annually by an independent third party. We are committed to the principles of GDPR and CCPA. Reports are available upon request – contact compliance@itential.com.

SOC 2 Type 2

Annual independent audit. Available upon request.

Icon with a key inside a shield, symbolizing security and compliance
GDPR

Data handling practices aligned with EU privacy legislation and the principles of the General Data Protection Regulation.

CCPA

Data handling practices aligned with the California Consumer Privacy Act and applicable US state privacy requirements.

AI Security

How the Itential Platform Governs & Audits Agentic Operations

In Itential, AI agents – whether FlowAgents built on the platform or external AI systems connected via MCP – operate through the same governed execution layer as every human-initiated action. An agent cannot call a network device, query a database, or trigger a workflow unless that specific action is registered in the platform’s Tool Registry and explicitly assigned to that agent at design time.

Agents Act Through Governed Tools, Never Directly

When a builder creates a FlowAgent, they select a specific set of tools from the platform’s Tool Registry (e.g. workflows, adapter methods, integration APIs, Configuration Manager actions, etc.) That list is locked at design time and enforced at the execution engine level. At runtime, every tool call the agent attempts is validated against its registered tool set before anything is dispatched.

RBAC Applies to Agents

FlowAI uses two separate access control layers. At the project level, the builder assigns Owner, Editor, or Viewer roles to groups, which controls who can view, modify, or delete the agent definition. At the agent level, the builder assigns a separate list of operator groups who are permitted to run the agent. Users not in those groups cannot invoke the agent, see its sessions, or configure triggers for it. Both layers use the same group-based access control model already governing every other platform asset. External MCP tools registered through the FlowMCP Gateway inherit the same Gateway Manager RBAC model.

Every AI Request Logged

Every AI-initiated action is logged with full attribution – which agent or system made the request, what tools were called, what inputs/outputs were, and what the outcome was. Execution traces are stored as a durable, ordered event log.

Human-in-the-Loop Controls

AI-initiated actions that involve manual tasks can route to human operators for review and action before execution continues. Operators can also pause or cancel agent sessions at any time.

Sensitive Data Masked by Default

Credentials and secrets are stored in customer-controlled vaults or local secrets management and are never stored in agent definitions, workflows, or execution logs. Secrets are injected at runtime only and are not exposed in agent context.

Customer Data Is Never Used to Train AI

Customer configurations, telemetry, and operational data are never shared with or used to train any external AI model.

Platform Security

Itential Platform Security Architecture & Controls

The Itential Platform is a cloud-native SaaS application running on AWS. The following security controls are in place across data handling, identity and access, infrastructure, and secrets management.

Icon with a key inside a shield, symbolizing security and compliance
Data Security

All data in transit is encrypted using TLS 1.2 with SHA-256 certificates. Data at rest is encrypted with strong industry-standard algorithms and customer-controlled key options available. Itential does not process PII.

Identity & Access

SAML and OpenID Connect SSO, MFA enforcement, and SCIM/directory sync supported. RBAC and GBAC enforced throughout the platform for human operators and AI agents. Least-privilege access model applied to all Itential personnel and systems.

Infrastructure & Availability

Hosted on AWS US East 2 (Ohio) in a multi-AZ redundant architecture. Hardened AWS AMIs. AWS VPCs with only required ports open. Daily backups with point-in-time restore tested annually. Geographically separated availability zones with real-time data replication.

Secrets Management

Credentials remain in customer-controlled gateways or enterprise vaults. Secrets are never stored in workflows, never exposed in execution logs, and injected at runtime only.

Our Ongoing Security Testing & Incident Response Practices

Itential contracts with an external security firm to perform penetration tests at least annually. Continuous vulnerability scans run against product code repositories with automated detection integrated into our development pipeline. Every change goes through a five-stage secure SDLC – planning, implementation, peer review against OWASP best practices, functional and automated testing, and release approval. A formal six-phase incident response plan is in place and tested annually. In the event of a breach or incident affecting customers, Itential commits to timely notification.

Report security incidents at vulnerabilities@itential.com – monitored 24/7.

What Itential Secures & What Customers Are Responsible For

Itential is responsible for: securing the platform infrastructure, maintaining SOC 2 Type 2 compliance, encrypting data in transit and at rest, enforcing RBAC and governance across all human and AI-initiated actions, timely incident notification, and continuous vulnerability management and patching.

Customers are responsible for: ensuring data uploaded to the platform is scrubbed of sensitive information including PII and ePHI. The Itential Platform is not designed to house or protect confidential information about individuals. Customers control authentication to the platform via RBAC and GBAC and are responsible for managing their own user access and permissions.

Report security incidents at vulnerabilities@itential.com – monitored 24/7.

How to Report a Security Vulnerability to Itential

If you discover a potential vulnerability in the platform, report it to vulnerabilities@itential.com — monitored 24/7.

Please include a detailed description of the vulnerability, tools and methods used, and steps to reproduce. We will acknowledge your report, investigate, and keep you informed. If you are a customer with a password or account issue, contact Itential Support directly.

Access Reports, Ask Questions, Report a Vulnerability

Request a SOC 2 Report
Available to qualified organizations upon request.
Send Us An Email
Report a Vulnerability
Responsible disclosure welcomed.
Send Us An Email
Questions About Security
Contact our compliance team.
Send Us An Email

Frequently Asked Questions

+

TLS 1.2 with SHA-256 for all data in transit. Strong encryption at rest with customer-controlled key options. Itential does not store sensitive operational data.

+

Yes, SAML and OpenID Connect SSO, MFA, and SCIM/directory sync are all supported.

+

Credentials remain in customer-controlled gateways or enterprise vaults and are never stored in workflows. Secrets are injected at runtime only and never exposed in logs or agent context.

+

AI systems call the platform’s governed APIs. RBAC, approval gates, blast-radius controls, and compliance checks are enforced before any action executes. AI never touches infrastructure directly.

+

Only if RBAC explicitly permits it. Sensitive fields are masked from agent context by default.

+

Yes – every AI request is logged with full attribution including which agent made the request, what it requested, what validation ran, and the outcome.

+

No. Customer configurations, telemetry, and operational data are never shared with or used to train any external AI model.

+

A formal six-phase plan – Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned – tested annually. In the event of a breach affecting customers, we commit to timely notification. Contact vulnerabilities@itential.com.

+

AWS US East 2 (Ohio) in a multi-AZ redundant architecture. No critical systems are housed at Itential headquarters.