> ## Documentation Index
> Fetch the complete documentation index at: https://operativusai.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.
# Security and Privacy in Agent Manager
> How Agent Manager keeps data private with PII redaction, injection protection, sandboxed code execution, RBAC, and full audit logging on by default.
Agent Manager is built on a **private-by-design** principle: all your data stays within your own infrastructure. No conversation history, memory, or knowledge base content is ever sent to external observability or analytics platforms by default. Every safety control described on this page is active out of the box.
## Private by design
All persistent state — session history, long-term memory, and knowledge base documents — is stored exclusively in your own database. Agent Manager never transmits user data to third-party SaaS platforms unless you explicitly configure an integration.
Every user message is scanned for emails, phone numbers, and other sensitive identifiers before it reaches the LLM. Redacted values are substituted transparently so agents still function normally.
Built-in detection screens for jailbreak patterns before each request is executed, blocking attempts to override agent instructions.
Agent responses pass through output moderation before being returned. Harmful, violent, or inappropriate content is blocked automatically.
For RAG-powered responses, Agent Manager verifies that the answer is grounded in the retrieved knowledge sources before delivering it to the user.
Python code execution runs inside ephemeral Docker containers with no host filesystem access and no network access by default. Each execution uses a fresh container.
Every agent run and tool execution is logged. All guardrail interventions are recorded with the type of protection triggered.
## Role-based access control
Agents and teams are protected by RBAC. Roles are enforced at every API boundary — unauthenticated or insufficiently-privileged requests receive a `401 Unauthorized` or `403 Forbidden` response before any agent logic runs.
All data is partitioned by organization (`orgId`). A user in one tenant cannot read or modify resources belonging to another, and cross-tenant resource lookups return `404` rather than `403` to avoid leaking information about resource existence.
## Compliance and traceability
Every run produces a complete audit trail including:
* The full sequence of tool calls made during the run
* Inner reasoning steps captured before each tool execution
* Guardrail events (which protection triggered and when)
* The run status (`COMPLETED`, `FAILED`, `PAUSED`)
Audit logs are stored in your own database alongside all other run data. You own the data and can query or export it directly.
## Summary
| Protection | Scope | Default |
| -------------------------- | ----------------------- | ------- |
| PII redaction | Input (pre-LLM) | On |
| Prompt injection detection | Input (pre-execution) | On |
| Content safety moderation | Output (post-execution) | On |
| Hallucination check | Output (RAG responses) | On |
| Python code sandbox | Tool execution | On |
| Audit logging | All runs and tool calls | On |
| RBAC | All API endpoints | On |
| Tenant data isolation | All data reads | On |
If you're investigating unexpected redactions or blocked responses, check your audit logs for guardrail events — each entry records the protection type that was triggered.