Stable Baseline
Trust

Security you can rely on.

The controls, practices, and mindset that protect your workspace — designed for teams that take documentation and agent access seriously.

Encrypted in transit and at rest

All traffic is served over TLS; workspace content is encrypted at rest using industry-standard ciphers.

Scoped agent keys

MCP keys are scoped to specific workspaces, projects, and capabilities, and can be revoked in one click.

Least-privilege access

Role-based controls for teammates and capability scopes for agents. Nothing has more access than it needs.

Full audit trail

Every action — human or agent — is logged with actor, timestamp, and what changed.

Resilient by design

Regular backups, routine recovery drills, and rate-limited APIs keep your workspace durable and protected from abuse.

Your data stays yours

We never train models on your content. Model providers we route through operate under zero-retention contracts.

Our approach

We practise defence in depth: narrow attack surface, short blast radius, and strong boundaries between users, workspaces, and agents. The same engineers who build the product also own its security posture, so controls evolve with the platform rather than as an afterthought.

Agent access controls

Agents interact with Stable Baseline through the Model Context Protocol using keys you generate and scope yourself.

  • Keys are scoped per workspace, per project, and per capability set.
  • Every tool call is attributed to its key, so revoking a compromised key is immediate and precise.
  • Rate limits protect your workspace from runaway agents.
  • Write capabilities can be separated from read — useful for reviewer-only automations.

Data handling

  • Workspace content is stored with strict tenant isolation so one customer can never access another's data.
  • File uploads (images, data files) are served via short-lived, signed URLs — never publicly indexable.
  • We do not use your content to train models, and we do not share it with model providers beyond the ephemeral context required to complete a request.

Privacy by default

Stable Baseline is built around the premise that your documentation and plans are confidential. Model calls made on your behalf are routed through providers that operate under zero-data-retention contracts. Telemetry we collect is limited to what we need to operate, support, and secure the service.

Incident response

Suspected incidents are triaged immediately, with affected customers notified in line with applicable law. If you think something is wrong, tell us — we would rather look at a false positive than miss a real one.

Responsible disclosure

If you've found a security issue, please report it to security@stablebaseline.io. We also publish a security.txt with current contact and policy information. We commit to acknowledging reports promptly and keeping you informed as we investigate.

Enterprise assurance

If your organisation requires additional documentation — subprocessor lists, a Data Processing Addendum, architecture detail, or a security questionnaire response — please get in touch and we'll work with your team directly.