Security and governance

Autonomous, and governed.

Law firms, accounting practices, and healthcare groups do not get to be casual about where their data goes or what software is allowed to act on its own. Neither do we. Every Hendricks line is built to be forwarded to your risk committee, not hidden from it.

Book a 20-minute walkthroughSee the governance stack
The core posture

Your data never leaves your tenant.

The single most important fact about a Hendricks deployment: it runs inside your own Google Cloud project, under your IAM, your billing, and your audit trail. There is no Hendricks data lake. There is no multi-tenant pool where your client records sit next to someone else's. We build the line in the environment you already govern, and on exit you keep all of it.

How we keep it safe

Eight controls, on every line.

The same production governance stack Google Cloud offers enterprise customers, configured and operated for service businesses. Identity, enforcement, filtering, logging, and a hard stop.

Your tenant, not ours
Every system we build is deployed into your own Google Cloud project, under your IAM, your billing, and your audit trail. Hendricks does not run a multi-tenant SaaS. We do not pool your data with other clients, and we do not retain it.
Shadow mode before live
Every line runs in shadow mode for 30 days before it touches production traffic. The agents observe, classify, and propose. Your team approves. We promote to live when the numbers say so, not on a calendar.
Identity per agent, per location
Agent Identity gives every agent its own scoped credentials. Multi-location firms get per-location identity, so access is least-privilege and every action traces to a specific agent in a specific place.
Escalation is enforced, not hoped for
Agent Gateway enforces the escalation rules you set. Anything outside the sanctioned zone routes to a human. The boundary is configuration, not a prompt the model can talk its way around.
Model Armor on every inbound
Inbound messages are filtered for prompt injection, abusive content, and PII before they reach the line. The agents stay inside the zone you sanctioned.
Every decision logged to BigQuery
Every signal, decision, conversation, and outcome is written to BigQuery in your project. If a customer gets a wrong answer, you see exactly what was said, when, by which agent, and why. Then you tune the boundary.
One switch stops everything
Every line is pauseable. A single kill switch halts all autonomous action immediately, and the audit trail shows exactly what ran up to that moment. You are never waiting on us to stop the line.
You keep everything on exit
Month-to-month after the first 90 days. On exit you keep the architecture, the agents, the data, and a written transition document. No exit fees. We never hold a client's data hostage.
Compliance, stated honestly

You inherit Google Cloud's certifications, not a new vendor risk.

Your environment runs on Google Cloud, which Google operates under independent SOC 2, SOC 3, ISO 27001, ISO 27017, ISO 27018, and HIPAA-eligible controls. Because the agents live in your tenant rather than a Hendricks-controlled system, the deployment fits under the agreements your firm already maintains with Google, instead of adding a new third party that holds your data. See Google Cloud compliance. On the walkthrough we map the exact data flows with your compliance lead so there are no surprises in procurement.

What risk committees ask

The questions before a yes.

Where does our data actually live?
In your own Google Cloud project. We deploy into your tenant, under your IAM and billing. Hendricks does not copy your data into a Hendricks-controlled environment, because there is no multi-tenant Hendricks environment. The data, the logs, and the models run inside the environment your firm already governs.
Is Hendricks SOC 2 or HIPAA certified?
Your deployment runs on Google Cloud, which Google operates under independent SOC 2, SOC 3, ISO 27001, ISO 27017, ISO 27018, and HIPAA-eligible controls. Hendricks does not hold its own SOC 2 report, and that is deliberate: there is no separate Hendricks system holding your client data to certify. Because the agents run inside your tenant, the deployment inherits the compliance posture and agreements your organization already maintains with Google, rather than introducing a new vendor that stores your data. We will walk your compliance lead through the exact data flows on the call.
What happens when an agent gets something wrong?
Three layers. Model Armor filters before. Agent Gateway enforces human escalation during. A full BigQuery audit trail records after. Most firms catch and fix edge cases in week one of shadow mode, before the line ever touches live traffic.
Can we audit what the agents did?
Yes. Every decision is logged to BigQuery in plain, queryable form: which agent, which signal, which decision, which outcome, and which escalations went to a human. Compliance has one place to look, and you can query it in plain English.
Can we stop the system immediately if we need to?
Yes. Every line is pauseable through a single kill switch that halts all autonomous action at once. Nothing waits on a Hendricks engineer. The audit trail captures the state at the moment you paused.
Who can the agents talk to, and what can they spend?
Only what you sanction. Agent Identity scopes credentials to least privilege, Agent Gateway enforces the escalation and action boundaries you define, and any action that would move money or step outside the sanctioned zone routes to a human for approval. Autonomous actions stay inside hard limits you set.
Bring your compliance lead

20 minutes. We map the data flows together.

Walk through exactly where your data lives, what the agents can and cannot do on their own, and how the audit trail and kill switch work. Bring the person who has to sign off. If it is not a fit we say so on the call.

Google Meet link sent on confirmation · open in new tab