Trust
Security at Circular
Circular treats human sessions, team API keys, provider credentials, and agent execution as separate security boundaries.
Access controls
- Workspace and team role checks run at protected API boundaries.
- Team API keys are scoped, revocable, and stored as non-reversible hashes.
- Provider and connector secrets are encrypted before database storage.
- Local and remote execution paths retain distinct approval and isolation policies.
Agent safety
Start agents with read-only tools and a disposable, least-privilege team key. Add write access only for a defined workflow, record tool calls, and revoke the key when an evaluation finishes. Never place provider or Circular secrets in prompts or issue bodies.
Report a vulnerability
Do not open a public issue for a suspected vulnerability. Send a concise reproduction and impact assessment to sales@circular.dev. We will acknowledge the report and coordinate remediation before public disclosure.