Enterprise-grade AI security, by design

Every Pokee workload runs inside a dedicated, isolated sandbox. Your data, your tokens, your traffic — controlled at every boundary.

Visit our Trust CenterTalk to sales

Robust isolation. Seamless control.

Tenant isolation

Dedicated subdomain, scoped auth, and a private session pool. No shared compute, no cross-tenant API surface.

Encryption everywhere

TLS 1.2+ in transit, AES-256 at rest. Third-party tokens stored encrypted in a vault the agent cannot read.

Private deployment options

Run Pokee in our cloud or your own VPC. See deployments

Compliance

Pokee is actively pursuing the controls and attestations enterprise procurement teams ask for first. Audit reports, policies, and our real-time control posture are published in the Pokee Trust Center.

Open trust.pokee.ai

SOC 2 Type 2*

In audit

Pokee is currently undergoing its SOC 2 Type 2 examination across Security, Availability, and Confidentiality.

* Audit is underway with an AICPA-accredited firm. The Type 2 report will publish to the Trust Center on completion.

Penetration testing

Annual

Pokee engages an independent firm to conduct penetration tests against its production infrastructure. Findings are remediated and re-tested before reports publish.

Latest pen-test report available on request via the Trust Center.

Five concentric trust boundaries

Each layer is enforced independently — a failure of one does not collapse the others.

  1. Layer 1

    Transport

    TLS 1.2+ on every public connection.

  2. Layer 2

    Region

    Compute and storage pinned to your chosen region.

  3. Layer 3

    Tenant

    Dedicated subdomain. No cross-tenant call surface.

  4. Layer 4

    Session

    Each session in its own OS mount namespace.

  5. Layer 5

    Workspace

    Per-session file scope, enforced by the OS.

Controls your security team can turn on

Available on every enterprise tenant.

Dedicated subdomain

your-tenant.enterprise.pokee.ai — yours alone.

Bearer token + mTLS

Mutual TLS available as defense against bearer leakage.

IP allowlist

Restrict source IPs at the edge.

Custom domain

Route traffic through a hostname you control.

Region pinning

US, APAC, and EU regions on request.

PrivateLink / PSC

No traffic crosses the public internet.

Offline mode for sensitive workloads

A locked-down variant of the API. The agent runs inside a sandbox whose only outbound network path is the model completion API — nothing else egresses.

  • No data exfiltration via the agent. Even prompt injection can't reach an attacker URL — the network drops it.

  • Hostname-allowlisted egress. All outbound traffic flows through one auditable proxy.

  • Same REST contract. Code written against the standard tenant works against an offline tenant.

Your data stays your data

Customer prompts, files, and outputs are not used to train Pokee models. Zero-data-retention routing on inference upstreams is enabled by default for enterprise tenants. Retention windows and deletion are contract-controlled.

Reporting security issues

We value the security research community. If you've found a vulnerability in Pokee, please report it confidentially.

support@pokee.ai