Security & Compliance
How TameFlare protects your agent traffic, credentials, and audit data.
Security model
HTTPS interception
TLS termination at the cloud gateway (proxy.tameflare.com). Same enforcement model as corporate proxies (Zscaler, mitmproxy). No local binary or CA certificate needed.
Credential isolation
Agents never see real API keys. The proxy injects credentials into allowed requests at request time from an AES-256-GCM encrypted vault.
Fail-closed
No connector = no access. Error in evaluation = deny. No fail-open mode. The cloud gateway runs at proxy.tameflare.com. No third-party trackers or product telemetry.
Additional security measures
Data sovereignty & compliance
TameFlare is architecturally aligned with EU data sovereignty requirements. Credentials are encrypted at rest (AES-256-GCM). The cloud gateway runs at proxy.tameflare.com, hosted in the EU.
Cloud gateway (EU)
proxy.tameflare.com
Source-available
Fully auditable (ELv2)
No third-party trackers
Privacy-friendly analytics only
Danish company
EU jurisdiction
Encrypted vault
AES-256-GCM at rest
Full audit trail
Every action logged
Architecturally aligned with GDPR, NIS2, and DORA requirements. Not a certification claim - compliance is your responsibility, and our architecture makes it easier.
Audit status
TameFlare has not yet undergone a third-party security audit. The codebase is source-available for independent review. We have 51 unit tests, 260+ integration tests, and security-specific test coverage (auth bypass, RBAC, rate limiting, nonce replay, input validation).
A formal third-party audit is planned. See the security documentation for full details.