Paperclip Security Best Practices
AI agents handle sensitive data, execute actions on behalf of users, and interact with external services. Security isn’t optional — it’s foundational. Here’s how to secure your Paperclip agents.
Threat Model
Paperclip agents face three primary threat categories:
- Prompt injection — malicious inputs designed to override agent behavior
- Credential exposure — API keys and secrets leaked through logs or responses
- Data leakage — sensitive information exposed to unauthorized parties
Let’s address each.
Prompt Injection Defense
Prompt injection is the #1 security concern for AI agents. A user crafts input designed to make the agent ignore its instructions and perform unintended actions.
Input Sanitization
- Validate inputs — reject or escape special characters that could be interpreted as instructions
- Limit input length — cap user messages at a reasonable length (e.g., 10,000 characters)
- Separate instructions from data — use clear delimiters between system instructions and user input
Principle of Least Privilege
- Give agents access only to the tools they need
- Restrict tool permissions (read-only where possible)
- Use separate agents for sensitive operations
- Never give an agent more access than the user making the request
Output Filtering
- Scan agent outputs for sensitive information before returning to users
- Filter credentials, API keys, and internal URLs from responses
- Log outputs for security audit trails
API Key and Secret Management
Use Environment Variables
Never hardcode secrets in agent configuration or prompts:
# Bad
"Your database connection string is postgresql://user:pass@db.internal:5432"
# Good
"Connect to the database using the DATABASE_URL environment variable"On HostAgentes, environment variables are encrypted at rest and never exposed in logs or API responses.
Key Rotation
Rotate API keys regularly:
- LLM provider keys — every 90 days
- Database credentials — every 90 days
- Agent API keys — every 60 days
- Webhook secrets — every 90 days
Key Scoping
Create separate API keys for:
- Each application that calls your agent
- Development vs production environments
- Read-only vs read-write operations
Revoke keys immediately when no longer needed.
Data Handling
Data Classification
Classify the data your agent handles:
| Level | Examples | Handling |
|---|---|---|
| Public | Product info, docs | Standard |
| Internal | Team processes, metrics | Encrypted at rest |
| Sensitive | User emails, preferences | Encrypted + access logging |
| Critical | Payment info, SSNs | Encrypted + audit trail + DLP |
Data Retention
Define retention policies:
- Conversation logs — 90 days default
- Memory (vectors) — until explicitly deleted
- Tool call logs — 90 days default
- Audit logs — 1 year minimum
Data Residency
For compliance (GDPR, etc.), deploy agents in the correct region:
- EU data → EU regions
- US data → US regions
- HostAgentes supports 42 global regions
Network Security
TLS Everywhere
All communication with your agent uses HTTPS/TLS. On HostAgentes, this is automatic — SSL certificates are provisioned and renewed automatically.
IP Whitelisting
Restrict which IP addresses can call your agent’s API endpoint. Configure in the dashboard under Agent Settings → Security.
Rate Limiting
Protect against abuse with rate limits:
- Per-key request limits
- Per-IP request limits
- Daily token usage caps
- Automatic blocking of abusive patterns
Compliance Considerations
SOC 2
For SOC 2 compliance, you need:
- Audit logging of all agent decisions
- Encrypted data at rest and in transit
- Access controls and key management
- Incident response procedures
GDPR
For GDPR compliance:
- Deploy in EU regions
- Implement data deletion capabilities
- Provide data export on request
- Maintain processing records
HIPAA
For healthcare data:
- Business Associate Agreement (BAA) with hosting provider
- Enhanced encryption standards
- Access controls and audit logging
- Breach notification procedures
Security Checklist
- All secrets stored as environment variables (never in config)
- API keys rotated on schedule
- Input validation enabled
- Output filtering configured
- Rate limiting active
- Agent uses least-privilege tools
- Data retention policies set
- Agent deployed in correct region
- Audit logging enabled
- Monitoring alerts configured for security events
Security on HostAgentes
HostAgentes handles most security infrastructure for you:
- Automatic SSL/TLS for all endpoints
- Encrypted environment variables at rest
- Built-in rate limiting
- Audit logging of all requests
- 42 regions for data residency
- Automatic security patching
Related Posts
Paperclip Governance: Compliance, Policies, and Guardrails
How to implement governance for Paperclip agents — content policies, output filtering, audit trails, compliance frameworks, and responsible AI deployment.
Best Practices for Running Paperclip Agents in Production
Production-ready Paperclip agent deployments require careful attention to error handling, monitoring, security, and scaling. Here are 12 best practices we've learned from running thousands of agents.
AI Agent Governance: A Framework for Enterprise Adoption
A practical governance framework for deploying AI agents in enterprise environments — covering risk classification, policy enforcement, audit trails, and the compliance requirements that matter.