Security & Trust

Independently Audited.

Agent Midas is validated by an independent ADA CASA Assessor and verified by Google for the OAuth scopes that touch your inbox and calendar. The trust signals on this page are real, dated, and externally checkable.

ESOF Shield Verified by TAC Security — ADA CASA Assessor
ESOF SHIELD VERIFIED

CASA Tier 2 — Independently Validated

Audited by TAC Security, an authorized App Defense Alliance CASA assessor. The audit covered all 73 CASA Tier 2 controls drawn from the OWASP Application Security Verification Standard (ASVS).

Audit completed May 2026 · Google OAuth restricted scopes verified May 5, 2026

What was validated

CASA Tier 2 — 73 controls

The Cloud Application Security Assessment framework, governed by the App Defense Alliance and based on OWASP ASVS, evaluates authentication, session management, access control, validation, error handling, data protection, and configuration. Tier 2 = Developer Tested / Lab Verified.

Google OAuth restricted scopes

Google completed brand verification and approved the four restricted OAuth scopes that let Agent Midas read your calendar, schedule events, read inbound mail, and send mail on your behalf. Verification eliminates the “unverified app” consent warning.

Scopes verified: calendar.readonly, calendar.events, gmail.readonly, gmail.send

Our security posture

Beyond the audit, the architectural choices we make every day:

Bring-Your-Own-Key encryption

Sensitive subscriber payloads — OAuth refresh tokens, third-party API keys, integration credentials — are encrypted with AES-256-GCM. Only the subscriber's account can decrypt their own data.

Row-level security on every table

Postgres RLS is enabled on every table that holds subscriber data. A subscriber cannot read or modify another subscriber's rows even with a stolen API key — the database itself enforces isolation.

Append-only audit trail

Every privileged write — tier changes, payouts, role grants, deletions, integrations connected — emits an immutable row in our audit log. Forensic reconstruction is always possible.

No third-party AI sees your data without consent

Default-private posture — subscriber dossiers, RAG knowledge, and content libraries are scoped per subscriber. Cross-subscriber inference is architecturally impossible.

What's next

  • SOC 2 Type II readiness— in flight. Targeted completion Q3 2026.
  • CASA Tier 3 upgrade— under evaluation. Tier 3 is required for the Google Workspace Marketplace security badge.
  • HIPAA-aligned posture— for subscribers in regulated healthcare verticals (BAA available on request).
  • Annual re-attestation— every CASA-validated app re-audits annually. Our next re-attestation lands May 2027.

Security questions or audit requests? Email [email protected]. Enterprise-tier subscribers can request a copy of the CASA audit summary directly from TAC Security.