Skip to main content
Security is not an afterthought — it’s woven into every layer of MagOneAI’s architecture. From network isolation to secrets management to comprehensive audit trails, the platform is designed to meet the security requirements of the most demanding enterprises.

Defense-in-depth architecture

MagOneAI employs a defense-in-depth approach with multiple overlapping security layers. Each layer provides independent protection, ensuring that a compromise at one level doesn’t expose your entire system.

Network security

Deploy MagOneAI on your own infrastructure, within your network perimeter. Private model support ensures data never leaves your environment. Control all ingress and egress traffic.

Authentication

Enterprise SSO with SAML and OAuth integration. API key management for programmatic access. Multi-factor authentication support. Session management with automatic expiry.

Secrets management

HashiCorp Vault integration for all credentials, API keys, and tokens. Secrets are never stored in configuration files or environment variables. Runtime injection with audit trails.

Data protection

Encryption at rest and in transit using industry-standard algorithms. Organization-level data isolation. No cross-tenant data access. Data residency controls.

Access control

Role-based access control (RBAC) at organization, project, and resource levels. Principle of least privilege. Fine-grained permissions for every action.

Audit and monitoring

Full audit trails for every agent execution, tool call, and data access. Cost and token usage tracking. Real-time monitoring and alerting capabilities.

Compliance considerations

MagOneAI’s architecture supports compliance with major regulatory frameworks. The platform provides the technical controls you need to meet your compliance obligations.

GDPR compliance

  • Data residency — Deploy MagOneAI in any geographic region to meet data residency requirements. Self-hosted deployments keep all data within your infrastructure.
  • Data isolation — Organization-level data boundaries ensure complete isolation between tenants. No cross-organization data access at any level.
  • Right to be forgotten — Complete deletion of user data and execution history. Audit trails track all data access and processing.
  • Data minimization — Configure retention policies for logs and execution history. Automated cleanup of expired data.

HIPAA compliance

  • Private model support — Process PHI using models deployed within your infrastructure. Data never leaves your network or reaches third-party providers.
  • Encryption — All data encrypted at rest using AES-256 and in transit using TLS 1.3. Encryption key management with support for customer-managed keys.
  • Access controls — RBAC ensures only authorized users can access PHI. Audit trails for every access event.
  • Business Associate Agreement — Magure can execute BAAs for managed hosting deployments.

SOC 2 Type II

  • Audit logging — Comprehensive, tamper-evident audit trails for all system activities. Log retention and archival capabilities.
  • Access controls — RBAC with principle of least privilege. Regular access reviews and automated role expiry.
  • Secrets management — HashiCorp Vault for credential storage with access audit trails and rotation capabilities.
  • Change tracking — All configuration changes logged with user, timestamp, and change details.

Data residency

  • Deploy anywhere — Self-hosted deployments run entirely within your infrastructure. Choose any cloud provider, region, or on-premises data center.
  • Data sovereignty — All processing, storage, and logging occur within your chosen environment. No data transmission to Magure or third parties.
  • Private models — Use locally-deployed LLMs like Ollama or private model endpoints. Your data never leaves your network.

Security by deployment model

Your security posture varies based on how you deploy MagOneAI. Choose the model that best fits your security requirements.

Self-hosted deployment

Self-hosted deployments provide maximum security and control:
  • Network isolation — Deploy behind your corporate firewall. Control all network access with your existing security policies.
  • Infrastructure control — Choose your cloud provider, region, and network architecture. Use your existing security tooling and monitoring.
  • Identity integration — Connect to your enterprise identity provider (Okta, Azure AD, etc.). Use your existing authentication policies and MFA.
  • Private models — Run LLMs within your infrastructure using Ollama or private model endpoints. Data never reaches third-party AI providers.
  • Data ownership — All data, logs, and execution history remain within your environment. Complete control over retention and deletion.

Managed hosting

Magure-managed deployments balance convenience with security:
  • Dedicated infrastructure — Your organization runs on dedicated infrastructure, isolated from other tenants.
  • Enterprise security controls — Magure applies SOC 2 security controls, including encryption, RBAC, and audit logging.
  • Compliance support — BAA execution for HIPAA, DPA for GDPR, and compliance documentation for audits.
  • Shared responsibility — Magure manages infrastructure security, you manage user access and data governance.
MagOneAI’s architecture means your security posture is as strong as your infrastructure. Deploy behind your corporate firewall, use your existing identity provider, and run private models — the platform adds enterprise security controls on top.

Security best practices

Follow these practices to maintain a strong security posture:
1

Use Vault for all secrets

Never store credentials in configuration files or environment variables. Always use vault: references to HashiCorp Vault.
2

Apply least privilege

Assign users the minimum role they need. Most users should be Project Members or End Users, not Org Owners.
3

Enable audit logging

Configure comprehensive audit logging and integrate with your SIEM. Monitor for unusual patterns and security events.
4

Deploy private models when possible

For sensitive workloads, use locally-deployed models like Ollama. This ensures data never leaves your infrastructure.
5

Regular access reviews

Periodically review user roles and permissions. Remove access for users who no longer need it.
6

Network segmentation

Place MagOneAI in an appropriate network segment. Restrict outbound access to only required services.

Security incident response

MagOneAI provides the tools you need to respond to security incidents:
  • Audit trail analysis — Review complete execution history to identify unauthorized access or suspicious activity.
  • Immediate revocation — Instantly revoke user access, API keys, or OAuth tokens when compromised.
  • Workflow isolation — Disable or quarantine workflows without affecting the rest of the platform.
  • Forensic data — Export complete audit logs and execution traces for incident analysis.
If you suspect a security incident, immediately revoke potentially compromised credentials in HashiCorp Vault and review audit logs in the Admin Portal. Contact your security team and, for managed hosting deployments, notify Magure support.

Next steps

Roles and permissions

Understand the RBAC system and permission hierarchy

Secrets and Vault

Learn how HashiCorp Vault protects your credentials

Audit and monitoring

Configure comprehensive audit trails and monitoring

Deployment guide

Deploy MagOneAI securely in your environment