Security at Pontil
Pontil was designed with security not just in mind; but at the core of how we operate; from generating the agent tools that describe your platform, to the end-to-end execution of those tools when agents invoke them.
Pontil was designed with security not just in mind; but at the core of how we operate; from generating the agent tools that describe your platform, to the end-to-end execution of those tools when agents invoke them.
Generating agent tools requires Pontil to understand your platform's API surface, not your user data. Customer records, end-user data, and platform are completely inaccessible to our tool generation process.
Our scanning process analyses source code and produces structured specs; all managed within Pontil's infrastructure as part of delivering the service. Pontil only needs to sees the shape of your platform, not the records inside it.
When an agent invokes a tool created by Pontil, the call passes through Pontil's runtime on its way to your platform. The runtime handles user-level authentication, rate limiting, and observability for each invocation, then returns the result to the agent.
This means data does move through Pontil at runtime; request payloads, responses, and the records your platform exposes in response to a tool call. The runtime is the part of Pontil that sits in the data path, and we treat it accordingly.
Want to talk through the specifics for your environment?
Tool calls execute as the authenticated user, not as a shared service account. Making your platform agents accessible shouldn't require rebuilding your security model. Permissions, data visibility, and audit trails honour the identity that invoked the tool.
Pontil's architecture is designed around the security needs of established B2B SaaS companies. We work closely with each customer to align the deployment with their environment and requirements.
Pontil is working towards SOC 2 Type II and ISO 27001 certifications. Pontil's Privacy Policy is available on our website.
Found a vulnerability? Email security@pontil.com with reproduction steps. We follow coordinated disclosure and credit researchers who report responsibly.
For anything else — security controls, architecture, compliance roadmap — the same address works, or simply reach out below.
