Enterprise-grade AI security, by design

    Every Pokee workload runs inside a dedicated, isolated sandbox. Your data, your tokens, your traffic — controlled at every boundary.

    Visit our Trust CenterTalk to sales

    Robust isolation. Seamless control.

    Tenant isolation

    Dedicated subdomain, scoped auth, and a private session pool. No shared compute, no cross-tenant API surface.

    Encryption everywhere

    TLS 1.2+ in transit, AES-256 at rest. Third-party tokens stored encrypted in a vault the agent cannot read.

    Private deployment options

    Run Pokee in our cloud or your own VPC. See deployments →

    Compliance

    Pokee is actively pursuing the controls and attestations enterprise procurement teams ask for first. Audit reports, policies, and our real-time control posture are published in the Pokee Trust Center.

    Open trust.pokee.ai

    SOC 2 Type 2*

    In audit

    Pokee is currently undergoing its SOC 2 Type 2 examination across Security, Availability, and Confidentiality.

    * Audit is underway with an AICPA-accredited firm. The Type 2 report will publish to the Trust Center on completion.

    Penetration testing

    Annual

    Pokee engages an independent firm to conduct penetration tests against its production infrastructure. Findings are remediated and re-tested before reports publish.

    Latest pen-test report available on request via the Trust Center.

    Five concentric trust boundaries

    Each layer is enforced independently — a failure of one does not collapse the others.

    1. Layer 1

      Transport

      TLS 1.2+ on every public connection.

    2. Layer 2

      Region

      Compute and storage pinned to your chosen region.

    3. Layer 3

      Tenant

      Dedicated subdomain. No cross-tenant call surface.

    4. Layer 4

      Session

      Each session in its own OS mount namespace.

    5. Layer 5

      Workspace

      Per-session file scope, enforced by the OS.

    Controls your security team can turn on

    Available on every enterprise tenant.

    Dedicated subdomain

    your-tenant.enterprise.pokee.ai — yours alone.

    Bearer token + mTLS

    Mutual TLS available as defense against bearer leakage.

    IP allowlist

    Restrict source IPs at the edge.

    Custom domain

    Route traffic through a hostname you control.

    Region pinning

    US, APAC, and EU regions on request.

    PrivateLink / PSC

    No traffic crosses the public internet.

    Offline mode for sensitive workloads

    A locked-down variant of the API. The agent runs inside a sandbox whose only outbound network path is the model completion API — nothing else egresses.

    • No data exfiltration via the agent. Even prompt injection can't reach an attacker URL — the network drops it.

    • Hostname-allowlisted egress. All outbound traffic flows through one auditable proxy.

    • Same REST contract. Code written against the standard tenant works against an offline tenant.

    Your data stays your data

    Customer prompts, files, and outputs are not used to train Pokee models. Zero-data-retention routing on inference upstreams is enabled by default for enterprise tenants. Retention windows and deletion are contract-controlled.

    Reporting security issues

    We value the security research community. If you've found a vulnerability in Pokee, please report it confidentially.

    support@pokee.ai
    Pokee Logo

    Pokee AI

    Frontier Agent Deployed in Your Infrastructure.

    Solutions

    FinanceHealth CareE-commerceEducationManufacturing

    Company

    CareersSecurityContact Us

    Resources

    API DocumentationBlogFAQ

    Legal

    Terms of ServicePrivacy PolicyAccessibilitySystem Status

    Follow Us

    TwitterLinkedInRedditDiscord

    © 2026 Pokee AI. All rights reserved.

    Terms & ConditionsPrivacy Policy