Trust, by design.
Security
Workers is built so the safe path is the easy path. Dangerous actions are hard by default; every decision your AI team makes is observable.
Three principles we never compromise.
These are not slogans. They are wired into the founder console, the approval router, and the audit log — and they are what you get by default on every plan, including Trial.
Fail closed by default.
When a request is ambiguous, a permission is missing, or a policy is unclear, Workers stops and asks. It never guesses its way into a mistake. The default for every sensitive action is wait, not execute.
Audit every action.
Nothing is off the record. Every tool call, every approval, every escalation is written to a hash-chained log that is exportable, signed, and immutable. If it happened, you can prove it happened.
Encrypt at rest and in transit.
All customer data is encrypted in transit with TLS 1.3 and at rest with AES-256. Keys are isolated per tenant and rotated automatically. Secrets never touch plaintext logs.
Encryption, isolation, and an audit chain.
Encryption in transit
TLS 1.3 everywhere, HSTS with preload, certificate transparency monitoring, and strict modern cipher suites. No fallback to legacy protocols.
Encryption at rest
AES-256 for databases, object storage, and backups. Keys are isolated per tenant in a hardened key-management service and rotated on a fixed schedule.
Tenant isolation
Every tenant is scoped by row-level security and per-tenant encryption keys. Cross-tenant reads are prevented at the database layer, not just in application code.
Hash-chained audit log
Each entry includes a SHA-256 of the entry before it. You can verify the chain offline with the exported log and a public verifier. Rewrites are detectable.
Secrets hygiene
OAuth tokens, API credentials, and webhooks are stored encrypted. They never appear in logs, error traces, or exports.
Certifications.
A living list. We publish the status honestly and update it as audits progress.
Request the latest trust pack →How we handle your data.
Where your data lives
Customer data is stored in hardened, geographically isolated environments. Business and Enterprise customers choose the region. Data never leaves the region you picked for any reason.
How long we keep it
We keep only what we need for as long as you need it. Audit records follow the retention of your plan. Everything else is deleted within 30 days of no longer being needed.
How we delete it
Deletion is a first-class action in the founder console. Hitting delete triggers a cryptographic erase of your keys, a purge of your primary storage, and a cascading wipe across replicas within 7 days.
We do not train on your data
Customer prompts, documents, and actions are never used to improve our models. Your business is yours.
Responsible disclosure.
We run a coordinated disclosure program and pay researchers for valid findings. Report through our bug bounty program or send details directly to our security team.