Agents are powerful — they touch code, credentials, and connected tools. Bleenk cloud isolates each project in sandboxes, encrypts secrets, and lets you gate risky operations with explicit approvals.
Sandbox isolation
- Agents run inside project containers — not on your laptop filesystem
- Shell and file tools are scoped to the workspace volume
- Network access follows workspace policy and connector configuration
Secrets & credentials
Encryption at rest
OAuth tokens, API keys, channel credentials, and deploy secrets use server-side encryption.
No secret echo
Agents cannot read existing secret values — only propose new keys.
Password hashing
Account passwords use modern one-way hashing; 2FA codes are short-lived.
Approvals & permissions
Configure approval policies per agent: destructive file edits, shell commands, external API calls, and MCP tools can pause for Accept / Reject in chat before running.
Your data on Bleenk cloud
Projects live on Bleenk-managed infrastructure. Prompts are sent to the model providers you configure (Bleenk routing or BYOK). We do not sell customer data. Export anytime via git remotes or workspace export tools.
Compliance
Enterprise customers can request security documentation and DPA terms via /contact.