Security & Privacy
drive9 gives agents persistent storage without making data boundaries implicit. The system separates tenant data, controls access through credentials, and keeps network traffic encrypted.
Encrypted in transit
Client-server traffic is protected with TLS. Agent filesystem operations, API calls, and setup flows are designed to move over encrypted transport.
Tenant-isolated by design
drive9 uses tenant-scoped storage boundaries. Tenant identity routes requests to the correct backend, keeping each tenant's workspace on its own storage path. Vault secrets also use per-tenant encryption keys.
Access-controlled
Filesystem access requires valid credentials and authenticated requests. Agents only operate with the workspace configuration they are given. Vault secret access adds scoped capability tokens for secret materialization.
Vault secret protections
Vault secrets have additional protections beyond the filesystem path: secret values are encrypted at rest with per-tenant data encryption keys, materialization is scoped by capability tokens, and server-side secret reads are written to an append-only audit log.
Operational boundary
drive9 protects storage, transport, tenant boundaries, and controlled access. Once data is intentionally provided to an agent process, the agent and its environment are responsible for how that data is used. Treat API keys and agent credentials like passwords.