Security

Control the agents. Own the context.

Spuutr is designed so you retain control of your data, models, memory, and agent permissions. Here's how it works.

Data ownership

You own all data you put into Spuutr: your business documents, customer conversations, agent memory files, API keys, and configuration. Spuutr does not train on your data, sell your data, or claim ownership of your business context.

Memory files can be stored in your own GitHub or GitLab repository where supported. If you leave Spuutr, your memory exports with you.

Model routing & BYOK

All model provider traffic routes through OpenRouter, our gateway provider. Prompts and responses are sent to the model provider you select for processing. You can bring your own API keys (BYOK) to use specific provider accounts directly: Spuutr does not mark up model usage.

Current model providers:

OpenAI

Reasoning, generation, embeddings

Route: openrouter • BYOK: Yes

Anthropic

Reasoning, coding, safety-aligned agents

Route: openrouter • BYOK: Yes

DeepSeek

Reasoning, operations, cost-efficient inference

Route: openrouter • BYOK: Yes

Google

Reasoning, multimodal

Route: openrouter • BYOK: Yes

Meta

Reasoning, open-weight inference

Route: openrouter • BYOK: Yes

Qwen

Reasoning, multilingual

Route: openrouter • BYOK: Yes

Encryption

All traffic encrypted in transit (HTTPS/TLS)
Sensitive data (API keys, secrets) encrypted at rest using AES-256-GCM
Keys stored separately from encrypted data
No plaintext secrets exposed to agent runtime: agents reference secrets by variable name only

Memory architecture

Agent memory is stored in three tiers:

Shared memory LIVE

Vector-indexed conversation recall across your agent team. Semantic search retrieves relevant context from past interactions. Available now.

Private Vault BETA

Encrypted storage for API keys and secrets. Agents reference secrets by variable name only: plaintext is never exposed to agent logic. Granular access controls and per-item approval gates are in development.

Portable records BETA

Daily memory files and MEMORY.md stored on the filesystem. Exportable and human-readable. Git-backed storage per tenant is coming soon: current export is via file download.

Permission boundaries

Every agent action is governed by permission rules you set:

Action	Default
Read email	Allowed after connecting account
Draft email	Allowed
Send email	Approval required
Delete data	Blocked by default
Spend money	Blocked by default
Post publicly	Approval required
Access Vault	Explicit approval required
Change model routing	Admin approval required

Infrastructure

Hostinger

VPS hosting — server infrastructure

Location: Europe (data center unspecified)

Backblaze B2

Backup and archive storage (future)

Location: US

OpenRouter

Model routing gateway

Location: US

Beta security limitations

During beta, security is best-effort. We follow security best practices but have not undergone third-party audits. Key limitations to be aware of:

No SOC 2 or ISO 27001 certification (planned post-launch)
No dedicated security team: security is managed by the founding team
Backup frequency is daily, not continuous
Uptime SLA is not yet formalised

For security concerns, email admin@spuutr.com.

Control the agents. Own the context.

Data ownership

Model routing & BYOK

Encryption

Memory architecture

Shared memory LIVE

Private Vault BETA

Portable records BETA

Permission boundaries

Infrastructure

Beta security limitations

Ask...