Trust & Security
AI that handles real business processes must be trustworthy, auditable, and controllable. MeetLoyd is built from the ground up for organizations where these properties are non-negotiable.
Our Security Philosophy
"AI should earn trust the same way employees do — through transparency, accountability, and clear boundaries."
Every feature in MeetLoyd follows three principles:
-
Humans stay in control — AI proposes, humans approve. The level of autonomy is configurable, from "ask permission for everything" to "act freely within these guardrails."
-
Every action is auditable — Complete trail of who did what, when, and why. Exportable to your SIEM. Tamper-evident hash chains.
-
Governance is built in, not bolted on — Compliance isn't a checkbox. It's woven into how agents think, act, and collaborate.
How MeetLoyd Protects You
The most specific policy wins — child policies override parent values.
Human-in-the-Loop
Sensitive actions require human approval before they execute. You define what "sensitive" means — financial transactions above a threshold, data access requests, external communications, or any custom criteria.
Agent wants to send proposal → Approval request → Human reviews → Approved / Rejected
When an agent needs approval, it pauses, notifies the right person, and waits. No workarounds. No overrides.
Governance Packs
Pre-built compliance modules that enforce industry-specific rules automatically:
| Pack | What It Enforces |
|---|---|
| GDPR | Data minimization, right to erasure, consent tracking, PII redaction |
| HIPAA | PHI protection, access logging, encryption requirements |
| SOX | Four-eyes approval, audit trails, separation of duties |
| EU AI Act | AI transparency, risk classification, human oversight |
| ISO 27001 | Information security controls, access management |
| ISO 42001 | AI management system, risk assessment, responsible AI |
| DORA | Digital resilience, ICT incident reporting |
| NIS2 | Network and information security, incident notification |
| AMF/CIF | French financial services regulation, investment compliance |
| SOC 2 | Trust service criteria, security and availability controls |
| CCPA | California consumer privacy, data deletion, opt-out rights |
| PCI DSS | Payment card data protection, access controls, encryption |
Packs operate in three modes: audit (log violations), warn (alert on violations), enforce (block violations). Start in audit mode to understand your baseline, then tighten as confidence grows.
Policy Engine
A constraint system that governs what agents can and cannot do. Policies cascade through a five-level hierarchy from platform defaults down to individual agents:
Platform Default
└── Tenant policy
└── Workspace policy
└── Team policy
└── Agent policy (most specific wins)
The most specific policy wins — child policies override parent values.
Policies cover budgets, tool access, rate limits, data handling, and separation of duties.
Audit Trail
Every action by every agent is logged with:
- What happened (tool called, message sent, decision made)
- Who initiated it (agent, team, user)
- When it occurred (timestamp with microsecond precision)
- Why the agent chose that action (reasoning trace)
- Context (conversation, input data, output data)
Logs are tamper-evident (hash-chained) and exportable to external SIEM systems (Splunk, Datadog, Elastic) in CEF, JSON, or LEEF format.
Data Sovereignty
Your business data stays under your control:
| Tier | What It Means |
|---|---|
| Standard | Data stored in MeetLoyd's managed infrastructure |
| Customer-Managed Keys (CMEK) | Your encryption keys protect your data — MeetLoyd cannot read it without your key |
| Bring Your Own Storage (BYOS) | Data lives in your own database — MeetLoyd stores nothing |
All tiers include AES-256 encryption at rest and TLS 1.3 in transit.
Compliance Certifications
| Standard | Status |
|---|---|
| Agent Trust Framework (ATF) | 25/25 requirements met — Senior maturity |
| OWASP Agentic Top 10 | 10/10 controls implemented |
| SAFE-MCP | 79/85 (6 not applicable to architecture) |
| SOC 2 Type II | In progress |
| ISO 27001 | Roadmap |
Zero Trust for Agents
MeetLoyd applies Zero Trust principles to AI agents — the same framework used for human access in enterprise security:
- Verify explicitly — every agent action is authenticated and authorized
- Least privilege — agents only access what they need for their specific role
- Assume breach — monitor continuously, detect anomalies, contain impact
Agents have cryptographic identities (SPIFFE), verifiable credentials, and tool-based access control (TBAC) — the same security infrastructure used for microservices in enterprise cloud environments, applied to AI.