securityFor security & engineering leaders

Built for engineering teams that ship under audit.

Disco Parrot keeps your source, your secrets, and your agents inside boundaries your security team can verify.

GDPR compliantAzure-hostedBuilt to SOC 2 Common CriteriaBYO sandbox & AI model

mailTalk to security Request the technical briefdescription

Architecture

Where your code goes, and where it doesn't.

Your repo tokens never reach the browser. They never reach the sandbox where the agent runs. They're resolved server-side from Azure Key Vault at clone time, scoped per repo, and discarded with the session.

Architecture diagram

person

You

Browser session

hub

Control plane

Disco Parrot

box

Ephemeral sandbox

Docker / ACA

cloud

Git provider

GitHub / ADO / Bitbucket

smart_toy

AI model

Your choice, your terms

vpn_key

Token boundary

Tokens resolved from Azure Key Vault at the control plane. Never reach the browser. Never reach the sandbox's agent context.

timer

Session lifetime

Sandbox created per run, mounted with the scoped token server-side, destroyed at session end. No persistent state.

receipt_long

Audit trail

Every agent turn, tool call, and file write persisted. Queryable, exportable, mapped back to the spec that triggered it.

Isolation

Every agent session runs in an ephemeral, isolated sandbox.

Path-contained Docker container in dev, Azure Container Apps in production. Destroyed when the session ends. No persistent state between sessions. Bearer-token auth on every sidecar endpoint (mandatory in production, optional in dev).

check_circleOne sandbox per session — sessions never share a workspace
check_circleFilesystem path containment enforced by the sidecar
check_circleNetwork egress allowlisted; agents reach what you authorize
check_circleSession transcript exportable to your SIEM

Session lifecycle

1
Create
Sandbox spun up per run. Resource-isolated. No state from prior sessions.
2
Mount
Repo cloned with token resolved server-side from Key Vault. Token sits outside agent context.
3
Run
Agent executes its multi-step flow. Every turn logged. Tool calls bounded by sidecar bearer-token auth.
4
Destroy
Sandbox torn down at session end. Token discarded. Audit log persists.

Where it runs

Run the sandbox fleet inside your cloud.

Disco Parrot supports a BYO-sandbox model: deploy our sandbox fleet inside your Azure, AWS, or on-prem environment so agents can reach internal APIs and VPN-gated services without leaving your network.

Default

Disco Parrot multi-tenant cloud

Hosted in Azure with region selection. Standard tenant isolation, ephemeral per-session sandboxes, scoped per-repo credentials.

check_circleRegion selection at sign-up
check_circlePer-session sandbox isolation
check_circleZero shared state between tenants

Enterprise option

BYO sandbox — in your cloud

Run the sandbox fleet inside your own Azure / AWS / on-prem network. Agents reach internal APIs and VPN-only services. Customer data never leaves your perimeter.

check_circleSandbox fleet in your VNet
check_circleReach internal APIs & private artifact feeds
check_circleNo egress to a vendor cloud

Request an architecture deep-divearrow_forward

AI model

Your model. Your terms. Your data.

Customer chooses the AI model — GitHub Copilot, Claude, GPT, or any MCP-compatible provider. Customer repos feed the chosen model as context only, never used to train Disco Parrot or the underlying model. The ZDR and DPA surface area lives between you and your model provider; Disco Parrot doesn't get in the way.

Your work stays your work.

Other AI dev tools

Vendor owns the model relationship. You inherit whatever ZDR / DPA terms the vendor has with their provider. Renegotiating is hard. Changing models means changing tools.

Disco Parrot

You own the model relationship. Your existing ZDR / DPA with Anthropic / OpenAI / Azure OpenAI / your enterprise Copilot agreement applies directly. Disco Parrot is the orchestrator, not the model vendor.

Controls

Built for the controls your security team already runs.

badge

Identity

Microsoft Entra ID + customer SSO for users. SCIM provisioning available on request.

vpn_key

Source-control auth

GitHub App, Azure DevOps PAT, or Bitbucket App Password. Server-side, vaulted, never in browser.

receipt_long

Audit trail

Per-turn audit log. Every agent turn, tool call, and file write persisted with timestamp and actor.

output

SIEM export

JSON export of audit events. Webhook / object-store destinations for Splunk, Sentinel, Datadog, S3, or Blob.

Compliance

Compliance status — no fudging.

The whole table. What we have, what's in progress, what's on the roadmap. Subscribe below to be notified when a status changes.

Standard	Status	Evidence	Next milestone
SOC 2 Type I	In scoping	Platform built to SOC 2 Common Criteria; controls inventory available on request	Audit kickoff: 2026 enterprise readiness roadmap
SOC 2 Type II	Targeted	—	Post-Type I
ISO 27001	On roadmap	—	Post-SOC 2
ISO 42001 (AI Management)	On roadmap	—	Aligned with AI governance build-out
GDPR	Compliant	DPA available on request	Ongoing
HIPAA / BAA	Not yet supported	—	Add when first qualifying customer engages

Subscribe to security updates

One email when an audit kicks off. One email when a report lands. That's it. No marketing drip, no list-sharing.

Sub-processors

Sub-processors and infrastructure.

Every third party that may touch customer data, named. We notify you 30 days before adding or changing a sub-processor.

Provider	Purpose	Region	Effective
Microsoft Azure	Compute, Key Vault, Container Apps, hosting	Customer-elected (US / EU / others)	2026-01
Microsoft Entra ID	Customer SSO + identity for users	Global	2026-01
Azure Communication Services	Transactional email (lead capture, notifications)	United States	2026-05
Cloudflare	CDN, edge security, DNS, DDoS mitigation	Global	2026-04
PostHog	Anonymous web analytics (no PII)	United States	2026-05
Customer-elected AI model provider	LLM inference (Copilot, Claude, GPT, MCP). The contract is between you and your provider; Disco Parrot doesn't own this relationship.	Provider-determined	Per BYO-AI election

For sub-processor change notifications, subscribe to security updates above or email security@discoparrot.com.

Vulnerability disclosure

Report a vulnerability.

We take vulnerability reports seriously. Researchers acting in good faith get acknowledgement, safe-harbor, and credit (with your consent).

scheduleAcknowledgement: within 5 business days
verifiedSafe-harbor: we will not pursue legal action against good-faith research consistent with our policy
handshakeCredit: public acknowledgement with your consent after fix lands

Scope

In scope: production Disco Parrot platform (web, API, sandbox runtime). Out of scope: third-party services (Azure, GitHub, model providers), denial-of-service testing, social engineering.

Send the report to

mailsecurity@discoparrot.com

Security review

On your timeline.

The artifacts your CISO needs — in the format they expect, on the cadence your review demands.

description

Technical security brief

A 6-page PDF covering architecture, security model, integrations, and compliance posture. Forwardable to your CISO.

Request →

gavel

Data Processing Agreement

Our DPA with SCC and IDTA addenda. Available pre-signature so your legal team can review before any commit.

Request →

architecture

Architecture deep-dive

A 30-minute Zoom with the engineering lead. Bring your questionnaire (SIG, CAIQ, custom) — we walk through it live.

Book →