Skip to main content

Your API, agent-payable

Live with Exa. Get paid by AI agents.

How?

Trust

Security & Compliance at Nevermined

Nevermined moves real money on behalf of AI agents, so the infrastructure is built to the standard banks and auditors expect: ISO 27001 certified, SOC 2 Type II audited, and PCI SAQ-D compliant, with card data tokenized at capture and never stored.

Visit the Trust Center

Live compliance status, security documentation, and report requests under NDA.

Certifications and attestations

ISO 27001

Certified information security management system covering data residency, access controls, and incident response.

SOC 2 Type II

Independently audited for security, availability, and confidentiality over an extended observation period.

PCI SAQ-D

Card data is captured by VGS (PCI Level 1) and tokenized before it enters our systems. Nevermined never stores raw PANs.

GDPR

Personal data is minimized, encrypted, and deletion requests are honored within the required timeframes.

FIDO2

Phishing-resistant, hardware-bound passkey authentication for card enrollment and account access.

How we protect payment data

  • Card data never touches our servers. Cards are captured and tokenized by VGS, a PCI Level 1 certified vault. Nevermined never stores raw card numbers; agents receive scoped virtual card credentials, never PANs.
  • Encryption everywhere. AES-256 at rest and TLS 1.3 in transit, across the entire data pipeline.
  • Strong authentication. Card enrollment enforces Strong Customer Authentication (3DS or FIDO2 passkeys), phishing-resistant and hardware-bound.

Security built for autonomous agents

Agent payments introduce risks that traditional payment security does not cover: software making purchasing decisions without a human at the keyboard. Nevermined's controls are designed for exactly that.

  • Scoped mandates. Every agent operates within user-defined rules: per-transaction caps, daily limits, merchant restrictions, and time windows.
  • Instant revocation. One API call revokes an agent's purchasing power. No grace period, no cached tokens.
  • Complete audit trail. Every transaction is logged with agent ID, amount, merchant, and timestamp: exportable for SOC 2, ISO 27001, and regulatory audits.
  • Verifiable identity. On-chain agent identity (ERC-8004) prevents spoofing; signature checks prove provenance.

Frequently asked questions

Is Nevermined SOC 2 compliant?

Yes. Nevermined maintains SOC 2 Type II compliance, independently audited for security, availability, and confidentiality. Enterprise customers can request the report under NDA via our Trust Center.

Is Nevermined ISO 27001 certified?

Yes. Nevermined operates an ISO 27001 certified information security management system covering data residency, access controls, and incident response. The certificate is available via our Trust Center.

How does Nevermined handle card data?

Card data is captured by VGS, a PCI Level 1 certified vault, and tokenized before it enters Nevermined's systems. Nevermined never stores raw card numbers and operates at PCI SAQ-D level. Agents receive scoped credentials, never card numbers.

Is Nevermined GDPR compliant?

Yes. Personal data is minimized and encrypted with AES-256 at rest and TLS 1.3 in transit. Data deletion requests are honored within the required timeframes, and all transaction logs are exportable for regulatory audits.

How are agent payments kept secure?

Every agent operates under a scoped mandate: per-transaction caps, daily limits, merchant rules, and time windows. Delegation is revocable with one API call, with no grace period and no cached tokens. Every transaction is logged with agent ID, amount, merchant, and timestamp for full auditability.

How do I request Nevermined's audit reports?

The SOC 2 Type II report, ISO 27001 certificate, and PCI attestation of compliance are available under NDA through the Nevermined Trust Center, where you can also monitor live compliance status and subscribe to updates.

Need our reports for a vendor review?

The SOC 2 Type II report, ISO 27001 certificate, and PCI attestation of compliance are available under NDA through the Trust Center. For anything else, security questionnaires or architecture reviews, contact us.

trustcenter.nevermined.ai