Self-hosted Enterprise: Deploy the entire Baponi platform in your VPC. Your cloud, your identity provider, your database. Zero data on Baponi infrastructure. Learn more
Security by architecture, not by policy
Baponi is a sandboxed code execution platform for AI agents. Six independent isolation layers between untrusted code and your infrastructure. Cloud storage credentials never enter the sandbox. Your data never leaves your bucket.
Six independent isolation layers enforced at the kernel level
A vulnerability in any single layer does not compromise the sandbox. Each layer operates independently and is enforced by a separate kernel subsystem.
Namespace Isolation
Every sandbox gets its own Linux namespaces: mount, PID, network, IPC, and UTS. Processes inside the sandbox cannot see the host, other sandboxes, or any shared state.
Syscall Filtering
A seccomp-bpf allowlist restricts system calls to a curated set of permitted operations with argument-level granularity. Everything not explicitly allowed is blocked by the kernel.
Capability Dropping
Sandboxes run with zero Linux capabilities. No CAP_NET_RAW, no CAP_SYS_ADMIN, no CAP_SYS_PTRACE. There is nothing to escalate to because nothing was granted.
Network Isolation
Each sandbox runs in a dedicated network namespace. No cross-sandbox communication. No access to internal services, credential APIs, or the host network.
Storage Credential Separation
Cloud storage credentials for BYOB mounts are held by a sidecar process outside the sandbox. The sandbox sees a local filesystem - it has no awareness of the underlying cloud provider or the credentials used to connect.
Immutable Audit Logging
Every execution, every API call, every admin action is logged. Database-level triggers prevent modification or deletion. Viewing audit logs is itself audited.
The entire isolation stack is written in Rust -eliminating buffer overflows, use-after-free, and data races at compile time. These are the vulnerability classes most commonly exploited in sandbox escape attacks.
BYOB storage mounts expose zero credentials to sandbox code
Cloud storage credentials never enter the sandbox. A sidecar process outside the sandbox boundary handles authentication and presents data as a local filesystem.
Cannot see cloud storage credentials
BYOB mount credentials are held by a sidecar process outside the sandbox. The sandbox sees a local directory - it has no knowledge of the cloud provider, bucket name, or access keys behind it.
Cannot access the host filesystem
Mount namespace provides a read-only root with no visibility into host directories or other sandboxes.
Cannot reach internal services
Network namespace isolation blocks all access to internal services, metadata endpoints, and other sandboxes.
Cannot escalate privileges
Runs as unprivileged UID 1000, zero capabilities, user namespaces disabled.
This zero-visibility model applies to BYOB storage mounts (S3, GCS, Azure Blob). The sandbox reads and writes files as if they were local. The cloud provider, bucket path, and access credentials are entirely invisible to sandbox code.
Your data never leaves your infrastructure
Two independent paths to data sovereignty: BYOB storage for managed cloud, or self-hosted Enterprise for complete infrastructure ownership.
BYOB Storage
Mount your S3, GCS, or Azure Blob storage directly into sandboxes as a local directory. Data streams on demand. No copies, no sync jobs, no egress.
- Data stays in your bucket, in your region
- Zero credential exposure to sandbox code
- Read-only enforcement at the mount level
- Available on every tier, including Free
Self-Hosted Enterprise
Deploy the entire Baponi platform in your Kubernetes cluster, in your VPC. Same codebase, same API, zero dependency on Baponi-operated services.
- Your cloud, your identity provider, your database
- No data egress to Baponi infrastructure
- Air-gapped deployment support
- Continues running independently if Baponi ceases to exist
"Don't trust us with your data. Deploy Baponi in your VPC and trust yourself."
Audit logging on every tier. SOC 2 Type 1 targeting Q2 2026.
Enterprise security controls available today. Formal certifications in progress.
Immutable audit logging on every tier
Full chain of custody for every execution and administrative action. Database triggers prevent modification or deletion. Exportable to your SIEM (Splunk, Datadog, ELK).
AES-256 encryption at rest, TLS 1.3 in transit
All data encrypted in storage and in transit. No exceptions, no configuration needed.
Data Processing Addendum available
Standard DPA for data processor obligations. Available for review and execution at any time.
GDPR data residency via BYOB
Mount your own S3, GCS, or Azure Blob storage. Data stays in your bucket, in your region, under your control.
In Progress
SOC 2 Type 1
Targeting Q2 2026
Third-party penetration test
Targeting Q2 2026
We operate a responsible disclosure program with rewards for qualifying security findings.
Enterprise deployments inherit your existing compliance posture. Self-hosted Baponi runs inside your certified infrastructure. Your SOC 2, your HIPAA, your FedRAMP -Baponi operates within the controls you've already established.
Every dependency scanned. Every container image checked. CycloneDX SBOMs on request.
Automated vulnerability scanning runs across Rust dependencies, npm packages, container images, and infrastructure-as-code. Security reports available on request.
Dependency vulnerability scanning
Grype, cargo-audit, cargo-deny, and npm audit scan every Rust and Node.js dependency against known vulnerability databases. Security reports with full findings are available on request.
Container image CVE scanning
Trivy scans every production container image for CRITICAL and HIGH severity CVEs before deployment. Base images use minimal Debian with no unnecessary packages.
Software Bill of Materials
CycloneDX SBOMs generated for every build covering both Rust and frontend dependency trees. Available on request for vendor security assessments and compliance reviews.
Secret, license, and IaC scanning
Gitleaks scans the full Git history for leaked credentials. cargo-deny enforces a strict license allowlist. Checkov scans Kubernetes manifests for security misconfigurations.
Security Whitepaper
Our security whitepaper covers the complete threat model, defense architecture, implementation details, and framework compliance mapping. Built for security teams conducting vendor assessments.
Common security questions about Baponi
How does Baponi isolate sandboxes from each other and from the host?
Every sandbox runs in its own set of Linux namespaces (mount, PID, network, IPC, UTS) with a seccomp-bpf syscall filter restricting operations to a curated allowlist with argument-level granularity, cgroups v2 resource constraints, and zero Linux capabilities. These boundaries are enforced at the kernel level. The entire isolation stack is written in Rust, eliminating memory safety vulnerabilities in the security-critical path.
How does BYOB storage credential isolation work?
Cloud storage credentials for BYOB mounts (S3, GCS, Azure Blob) are held by a sidecar process that runs outside the sandbox boundary. The sidecar authenticates with the cloud provider and presents the data to the sandbox as a local filesystem via FUSE. The sandbox code has no visibility into the cloud provider, bucket path, or access credentials - it just reads and writes files.
What happens to my data during execution?
BYOB (Bring Your Own Bucket) storage mounts your S3, GCS, or Azure Blob storage directly into the sandbox as a local directory. Data streams on demand and never transits through Baponi infrastructure. For managed storage, data is encrypted at rest with AES-256 and in transit with TLS 1.3.
What if I don't want any data on Baponi's infrastructure?
Deploy the entire Baponi platform in your own Kubernetes cluster, in your VPC. Self-hosted Enterprise uses the exact same codebase. You bring your own identity provider, your own PostgreSQL, your own storage. No data leaves your infrastructure. No dependency on Baponi-operated services.
Is the audit logging SOC 2 compliant?
Yes. Baponi logs every execution, every administrative action, every API key operation with full chain of custody. Logs are immutable -database-level triggers prevent modification or deletion. Viewing audit logs is itself audited. Audit logging is included on every tier, including Free. Most competitors gate any audit logging behind enterprise pricing.
Why is the isolation stack written in Rust?
Sandbox infrastructure executes untrusted code by design. Rust eliminates buffer overflows, use-after-free, and data races at compile time -the vulnerability classes most commonly exploited in sandbox escape attacks. For this problem domain, memory safety is a security requirement, not a language preference.
Does Baponi have a responsible disclosure program?
Yes. We welcome security research against our platform and offer rewards for qualifying findings. Scope, rules of engagement, and safe harbor terms are published on our responsible disclosure page.
How does Baponi handle supply chain security and vulnerability scanning?
Our CI pipeline runs automated scans across four layers: Grype and cargo-audit for Rust dependency vulnerabilities, npm audit for frontend dependencies, Trivy for container image CVEs, and Checkov for Kubernetes misconfigurations. Gitleaks scans the full Git history for leaked credentials. cargo-deny enforces a strict open-source license allowlist. CycloneDX SBOMs are generated in CI. Security vulnerability reports are available on request.
How do I get the full technical security whitepaper?
Request a copy through our contact page by selecting 'Security Whitepaper' as the topic. The whitepaper covers the complete threat model, defense architecture, and implementation details. We respond within 24 hours on business days.
Start building on the free tier
1,000 credits/month. Unlimited seats. Audit logging included. No credit card required.