Report A Vulnerability
Send security reports to security@adagio.run. Include enough detail for us to reproduce the issue, including affected URLs, account context, timestamps, browser details, and a minimal proof of concept when possible.
Responsible Disclosure
- Do not access, modify, delete, or exfiltrate another user's data.
- Do not disrupt service availability or run destructive tests.
- Do not disclose a vulnerability publicly before we have had a reasonable chance to investigate and remediate it.
- Stop testing and contact us if you encounter personal data, research data, credentials, secrets, or private pipeline content.
Current Security Posture
Adagio uses hosted authentication, server-side authorization checks, private backend service boundaries, scoped service tokens where needed, and HTTPS in production. Before paid hosted runs go live, we should publish a more detailed security overview covering encryption, backups, retention, subprocessors, incident response, and account recovery.
Sensitive Data
Unless a separate written agreement explicitly allows it, do not upload protected health information, regulated clinical data, or identifiable human genomic data. Contact us before using Adagio for workflows that may be subject to HIPAA, GDPR special-category data rules, institutional review requirements, or similar obligations.
Security Contact File
Automated tools can also find our security contact at /.well-known/security.txt.