Compute Sandboxes · run9 Agent runtime · smith9 · soon Browser · web9 · soon Data Postgres database · db9 Object storage · drive9 Agent memory · mem9 Secrets · vault9 · soon Intelligence Model gateway · gate9 · soon Skills & tools · hub9 · soon Evals · eval9 · soon Coordinate Queues · task9 Realtime · inbox9 · pulse9 · tape9 Teamwork · chord9 · soon Scheduling · cron9 · soon Operate Observability · owl9 Auth · auth9 · soon All products → Explore Solutions Pricing Customers Enterprise CLI Docs Company GitHub Request access
Security

How isolation actually works.

We'd rather show you the mechanism than wave a badge. This page describes how sys9 isolates secrets, data, and identity at the architecture level — the parts you can reason about and verify, not a logo wall.

Request a security review Report a vulnerability →
Where we are, honestly. sys9 is an early platform. We are not going to claim certifications we don't hold or list customers we don't have. Several services (run9, db9, drive9, owl9, and the primitives) are live; others (smith9, auth9, chord9) are still rolling out. If you need a specific control or attestation for your review, ask us directly — we'll tell you exactly what exists today and what's on the roadmap. security@sys9.ai
isolation, mechanism by mechanism

Four boundaries, each enforced by a service.

Sealed secrets, attached at the edge

run9 attaches sealed secrets at the network edge rather than baking them into the sandbox image or filesystem. The agent gets the access it needs at call time; the secret material isn't sitting in a layer you can fork, snapshot, or exfiltrate.

run9

Per-agent vault grants

drive9 ships a secrets vault with per-agent grants — you grant a specific agent a specific credential (drive9 vault grant --agent alice aws), not a shared blanket of access. Each agent sees only what it was granted.

drive9

Per-tenant data isolation

db9 gives you serverless Postgres with branching — fork a database, its data, and its files per tenant or per task. Isolation is a separate store, not a shared table you hope your filters cover. File storage is built in, no external bucket.

db9 · drive9

Scoped identity

auth9 gives one identity across sys9 with use-first, claim-later access. Sign in once, unlock each service with scoped access rather than long-lived shared keys. (auth9 is rolling out — ask us about current availability.)

auth9 (coming soon)
data handling

You can inspect, export, and delete.

Agent state shouldn't be a black box. The stack is built so humans stay in control of the data their agents produce.

Inspectable

mem9 lets humans inspect, import, and export agent memory. owl9 transcripts are human-readable, so a run is auditable after the fact.

Portable

db9 and drive9 are yours to read, copy, and mount locally. No proprietary lock-in on the data plane — standard Postgres and a real filesystem.

Scoped by default

Grants are per-agent, branches are per-tenant, secrets are edge-attached. The default is least access, not shared access.

responsible disclosure

Found something? Tell us.

If you believe you've found a security issue, email security@sys9.ai with steps to reproduce. We read every report, acknowledge promptly, and will keep you updated on the fix. Please give us a reasonable window before public disclosure.

Email security@sys9.ai Running a fleet? See Enterprise →