Security.

Oskar and every Agaas agent work against your own access to your own software — your accounting system, your Shopify. The bookkeeping happens there, where it has always lived. We do not copy your data into a database of ours; there is no central pool of customer data to breach. What we hold on our side is small: the access token for your system, and the working files for the job at hand.

Every client runs in its own isolated space on our server, separated by the operating system itself — not merely by our software behaving well. One client's agent cannot read another client's data, tokens, or conversations; the boundary is enforced by the system kernel, and we test it directly rather than assume it. This is the core of how we keep clients apart.

An agent shows you what it would do before anything lands in your books. You approve each posting; the agent is never the last link. When it is unsure, it stops and asks rather than guessing. This is written down in The Standard, and we hold ourselves to it.

All traffic — to your systems, to the AI provider, to the chat channels — runs over TLS. Administrative access to our server is only possible over a private, key-based VPN; the server has no open doors to the public internet. Access tokens are stored only in each client's own isolated space and can be revoked by you at any time, from each system separately.

The language model is provided by Anthropic, over their commercial API under their Commercial Terms. Your data is not used to train models, and conversation content is not retained by default beyond limited operational storage. Anthropic is certified to ISO 27001, ISO/IEC 42001, and SOC 2, and any transfer of data outside the EEA rests on the EU Commission's Standard Contractual Clauses.

Every night we take an encrypted backup of all client data to storage with an EU-jurisdiction guarantee. The data is encrypted on our own server before it is uploaded — the storage provider cannot read it. We test restores every quarter, and an automatic alert fires if a nightly backup ever fails to complete, so a silent failure is caught the same day. And because your accounting lives in your own system, a problem on our side is never a loss of your books.

If a security incident touches personal data, we notify affected customers without undue delay, so the data controller can meet the 72-hour deadline under GDPR. A data processing agreement governs the details, and we go through it with you, line by line, before you sign.

We run on dedicated infrastructure in Norway, under our own physical and administrative control — no shared hosting, no third party with access to the machine. As we grow, we are moving the platform to an ISO 27001-certified European data centre. We would rather tell you what we are building toward than imply we are already finished. For security questions, write to ai@agaas.no.