Trust

Security at Circular

Circular treats human sessions, team API keys, provider credentials, and agent execution as separate security boundaries.

Access controls

  • Workspace and team role checks run at protected API boundaries.
  • Team API keys are scoped, revocable, and stored as non-reversible hashes.
  • Provider and connector secrets are encrypted before database storage.
  • Local and remote execution paths retain distinct approval and isolation policies.

Agent safety

Start agents with read-only tools and a disposable, least-privilege team key. Add write access only for a defined workflow, record tool calls, and revoke the key when an evaluation finishes. Never place provider or Circular secrets in prompts or issue bodies.

Report a vulnerability

Do not open a public issue for a suspected vulnerability. Send a concise reproduction and impact assessment to sales@circular.dev. We will acknowledge the report and coordinate remediation before public disclosure.