Sandboxing
Each cloud agent run executes inside a dedicated, ephemeral container with strict resource and access controls. No two agent runs share a container.
Container Isolation
- Dedicated container: each run gets its own container with an isolated filesystem, process namespace, and network stack.
- No persistence: the container and all its contents are destroyed when the run completes or times out.
- Resource limits: CPU, memory, and disk are capped per container to prevent abuse. Defaults: 2 vCPU, 4 GB RAM, 10 GB disk.
- No privilege escalation: containers run as a non-root user with no sudo access.
- Read-only system: the base filesystem is read-only. Only the workspace directory and /tmp are writable.
Shell Restrictions
The bash tool inside cloud agents runs in a restricted shell environment.
| Allowed | Blocked |
|---|---|
| File operations (cat, ls, cp, mv, rm within workspace) | Network tools (curl, wget, ssh, nc) |
| Git operations (read-only: log, diff, blame, show) | Git push, git remote operations |
| Build tools (npm, bun, cargo, go, make) | Package installation from registries (blocked by network) |
| Test runners (vitest, jest, pytest, go test) | Docker, container management |
| Text processing (grep, sed, awk, jq) | System administration (systemctl, mount) |
Note
Network Isolation
Cloud agent containers have no outbound internet access by default. This prevents data exfiltration and reduces the attack surface.
Network Policy
| Direction | Policy | Details |
|---|---|---|
| Outbound to internet | Blocked | No HTTP, HTTPS, DNS, or raw socket access to external hosts. |
| Outbound to Creor API | Allowed | Agent communicates with the Creor API for LLM inference and status reporting. |
| Outbound to Git provider | Allowed (read-only) | Clone and fetch operations for the configured repository. |
| Inbound | Blocked | No inbound connections accepted. Container is not addressable. |
| Inter-container | Blocked | No container-to-container communication. |
Custom Network Rules (Enterprise)
Enterprise plan customers can configure custom network allow lists to permit access to specific internal endpoints (e.g., private package registries or internal APIs).
Data Handling
Creor takes a minimal-data approach to cloud agent execution. Here is what happens to your code at each stage.
During Execution
- Repository is cloned into the ephemeral container. The clone exists only in memory and on the container's temporary disk.
- Code chunks are sent to the LLM provider for inference. These are processed in real time and not stored by Creor.
- Tool call inputs and outputs are logged for the duration of the run to support status reporting and artifact collection.
After Execution
- Container and all file contents are destroyed immediately.
- Agent run metadata (status, timing, token counts) is retained for 90 days for billing and analytics.
- Artifacts (diffs, reports) are stored encrypted and retained for 30 days or until you delete them.
- Full conversation logs are retained for 7 days for debugging, then deleted.
What Creor Does Not Store
- Full repository contents beyond the agent run.
- Your API keys, secrets, or credentials found in the repository.
- LLM conversation history beyond the 7-day debugging window.
- File contents from files the agent read but did not include in artifacts.
Warning
Authentication & Access
Cloud agents authenticate using your workspace's API key and the Git provider integration you configured.
| Component | Authentication | Permissions |
|---|---|---|
| Creor API | API key (Bearer token) | Scoped to workspace. Cannot access other workspaces. |
| GitHub | Creor GitHub App (OAuth) | Repository access as configured. Read + write for PR comments. |
| GitLab | Personal access token | Scoped by token permissions. |
| Bitbucket | App password | Scoped by app password permissions. |
| LLM provider | Workspace credentials | Managed by Creor. Agent does not see raw API keys. |
API keys have configurable scopes. A key with "Cloud Agents" scope can only launch and manage agent runs -- it cannot access billing, team management, or other dashboard features.
Compliance
Creor's cloud infrastructure is designed to meet common compliance requirements.
| Standard | Status | Details |
|---|---|---|
| SOC 2 Type II | In progress | Audit expected to complete Q3 2026. |
| GDPR | Compliant | EU data processing agreement available on request. |
| CCPA | Compliant | California consumer privacy rights supported. |
| HIPAA | Not yet | Planned for enterprise tier. Contact sales for timeline. |
| Data residency | US (default) | EU data residency available for enterprise customers. |
Note
Security FAQ
Can a cloud agent access my other repositories?
No. Each agent run is scoped to a single repository. The clone credentials are limited to the specific repository and branch you specify.
Can a cloud agent push commits to my repository?
No. Cloud agents have read-only Git access. They produce artifacts (diffs, comments) that you apply manually. The Bugbot integration posts PR review comments using the GitHub API, but it cannot merge, push, or modify branch protection rules.
Is my code used to train AI models?
No. Code processed by cloud agents via the Creor Gateway is never used for model training. If you use a third-party LLM provider directly (BYOK), check that provider's data policy.
What happens if a cloud agent encounters a secret in my code?
The agent includes a secret scanner that detects API keys, passwords, and tokens in code. If a secret is found, it is redacted in the agent's output and flagged as a security issue. However, this is best-effort -- use a dedicated secrets manager and avoid committing secrets to your repository.