# Suprbox > Suprbox is a policy-gated vault that sits between your documents and any AI agent that reads them, enforcing rules, scoped keys, and immutable audit logs. Suprbox is a secure storage layer that sits between your documents and any AI agent that wants to read them. Instead of handing an agent your Google Drive credentials or an S3 key, you upload documents into Suprbox vaults, attach rules, and give each agent its own scoped API key. Every read is authenticated, evaluated against your policies, and recorded in a signed audit log before a single byte leaves the vault. ## The Problem It Solves AI agents are non-deterministic, which means the same prompt can pass one run and fail the next. A jailbroken model, a poisoned tool, or a forgotten test key can quietly exfiltrate data the agent never needed in the first place. Prompt guardrails sit at the model layer and try to catch bad behavior after the agent already has the keys to your storage. Suprbox moves protection down to the data layer, so even a misbehaving agent only sees what the policy says it can see. ## How It Works The product is a Next.js application with a TypeScript SDK (`suprbox-sdk`) and a REST API. Documents live in encrypted vaults with per-vault keys. Each agent gets a long-lived bearer credential scoped to specific vaults, and every request flows through three checkpoints: authentication, policy evaluation, and signed delivery. The SDK is a thin client that serializes calls into the right HTTP shape, attaches the bearer token and any session lease, and surfaces `X-Policy-*` headers as a typed policy object on every response. It runs anywhere `fetch` exists — Node 18+, modern browsers, edge runtimes. ## Nine Rule Primitives Policies are composed from primitives that match conditions and enforce actions. Classification rules match document sensitivity tags. Data detectors catch PII, secrets, and regulated data inline. Content keywords fire on business-sensitive phrases. Rate limits cap reads per hour. Time windows restrict access to approved hours. Read scope controls whether the agent gets metadata, an excerpt, or full content. Edit and delete rules gate write operations through human approval. Copy and download rules block raw exports or watermark responses. Session TTLs cap how long an agent lease lasts. Stack them per vault to get exactly the policy you want. ## Who It Is For Suprbox is built for teams running real agents against real data: sales teams pointing research bots at finance folders without exposing salary files, legal teams letting an AI reviewer read contracts but never modify them, engineering orgs managing fleets of agents across multiple vaults with a permissions matrix, and HR departments where PII guards and business-hours rules keep sensitive records contained. ## Security Posture Data is encrypted at rest with AES-256 using per-vault keys that can be rotated on demand. The architecture is zero-knowledge — Suprbox staff cannot read customer documents. Every event is signed and chained for tamper-proof audit, exportable to S3 or a SIEM with retention configurable up to seven years. Region pinning is available for US, EU, and APAC. The product is SOC 2 Type II audited annually, with reports available under NDA. A self-hosted option is offered on the Enterprise tier. ## Integrations Suprbox works with the agents teams already build with: Claude, OpenAI, Gemini, Llama, and Mistral on the model side, and Cursor, LangChain, CrewAI, AutoGen, n8n, Zapier, and MCP on the orchestration side. ## Features - Policy-gated read access between documents and AI agents - Encrypted vaults with per-vault keys (AES-256 at rest) - Scoped API keys per agent with vault bindings - Nine rule primitives: classification, data detector, content keywords, edit/delete, rate limit, time window, read scope, copy/download, session TTL - Human-in-the-loop approval queue for sensitive operations - Immutable, signed audit log for every read, deny, and throttle event - PII, secret, and regulated data detection with inline masking or redaction - TypeScript SDK with typed X-Policy-* headers on every response - REST API surface in front of existing storage - Region pinning for US, EU, and APAC data residency - SOC 2 Type II audited annually - Self-hosted option available on Enterprise tier - Audit log export to S3, SIEM, or custom destination with up to 7-year retention - Watermarking and download blocking for read responses - Per-vault session leases with configurable TTL ## Integrations Claude, OpenAI, Gemini, Llama, Mistral, Cursor, LangChain, CrewAI, AutoGen, n8n, Zapier, MCP ## Platforms WEB, API, DEVELOPER_SDK ## Pricing Freemium — Free tier available with paid upgrades ## Version 1.0 ## Links - Website: https://www.suprbox.com - Documentation: https://www.suprbox.com/docs - EveryDev.ai: https://www.everydev.ai/tools/suprbox