EOSE is an Agent-as-a-Service platform for building and operating secure, governed AI agents.

How does EOSE keep agents safe?

We use zero-trust identity, policy guardrails, and automated secrets management with full auditability.

Security

Name: EOSE AaaS Platform
Brand: EOSE

Zero-trust by default. Every layer secured, every action audited.

Zero-Trust Architecture

Every agent, service, and user is untrusted by default. Access is granted per-request based on identity, context, and policy. No implicit trust between components.

Infrastructure Isolation

Namespace Isolation

Each tenant and agent type runs in dedicated Kubernetes namespaces with strict network policies. No lateral movement between boundaries.

Secrets Management

Azure Key Vault with CSI driver integration. Secrets are never stored in cluster — mounted at runtime, rotated automatically, and scoped per workload.

Identity & Access

Enterprise OIDC

Microsoft Entra ID with mandatory MFA. RBAC maps org groups to platform permissions. SSO across all Kantai services.

OCO — Supply Chain Security

OpenClaw Control Orchestrator verifies every artifact in the delivery pipeline. Image signing, SBOM generation, policy gates, and provenance tracking.

Kill Switch — Tetraban

Four escalation levels for emergency response:

Level 1 — Soft Pause

Agent pauses current task, awaits human review. No data loss, resumable.

Level 2 — Hard Pause

All agent activity stopped. Queued tasks held. Manual restart required.

Level 3 — Isolate

Network policies enforced to cut agent communication. Forensic snapshot taken.

Level 4 — Fleet Shutdown

Complete fleet termination. All workloads stopped, secrets revoked, full audit exported.

Data Classification

Five levels govern how data is handled across the platform:

Level	Label	Example	Handling
1	Public	Marketing content	No restrictions
2	Internal	Team docs	Authenticated access
3	Confidential	Customer data	Encrypted, RBAC
4	Restricted	Credentials, PII	Key Vault, audit logged
5	Prohibited	Never stored	Rejected at ingestion

Compliance

SOC 2 Type II

Controls mapped and auditable. Continuous monitoring.

POPIA

South African data protection compliance. Data residency controls.

HIPAA-Ready

BAA-eligible architecture. PHI handling controls available on Enterprise tier.

PCI-DSS

Cardholder data isolation. Network segmentation and encryption at rest/transit.

← Back to Kantai