A Agent A / docs
DOCUMENTATION

Security

How Agent A protects your data, credentials, and workspace.

Agent A is built and hosted by Letaido on behalf of Ahrefs and inherits Ahrefs's broader security posture (covered in Ahrefs Security Measures). This page summarizes the workspace-specific guarantees on top.

Your data stays inside the perimeter

Workspace data (chat history, files, generated content) lives inside Ahrefs and Letaido infrastructure. It leaves only when you ask the agent to do something that requires it (an LLM call, an approved connector call), and the destination is one you've explicitly enabled.

We do not sell your data, share it with third parties for advertising, or use it to train external models.

Credentials are scoped and never exposed

Credentials you connect (Ahrefs, Slack, HubSpot, and so on) are stored encrypted and accessed by reference. The raw values are never shown in chat, logs, or generated code.

Each credential is scoped to a specific provider, a specific surface (the agent, your team's internal Console, your public site), and a specific workspace. Granting one does not grant the others. Workspace owners or admins approve every credential explicitly; the agent cannot install or rotate one on its own. You can revoke at any time, and revocation is immediate.

Internal and public are kept apart

Each workspace has two surfaces: the Console your team uses internally, and the public site the open internet can reach. They are deliberately separated. Internal data does not appear on a public URL unless you explicitly publish it, and the public site cannot read back into the Console.

Public sites have three explicit modes (off / authorized / open) and only a workspace owner or admin can change them. The agent itself cannot flip a site to public.

The agent runs under least privilege

The agent cannot install a connector, rotate a secret, change billing or domain settings, or reach a new external service without an owner-or-admin approval click. Every privileged action surfaces in your workspace UI before it happens. There are no silent installs.

For the full list of what the agent will not do without you, see Limits & boundaries.

Operations

Workspaces run in isolated execution sandboxes with resource quotas. Letaido continuously monitors infrastructure, separates production and testing environments, and keeps access logs for audit. Software, infrastructure, and connector additions go through review before they reach your workspace.

Reporting a security issue

If you think you have found a vulnerability in Agent A or one of its connectors, please contact Ahrefs security through the channels listed in Ahrefs Security Measures. Do not post vulnerability details in a public site or a shared chat.

FAQ

Are my Ahrefs queries or workspace data used to train AI models? No. Workspace data and connector calls are not used to train external models. LLM calls go to the provider's API under that provider's no-train commitments where applicable.

Where is my workspace hosted? In the region you selected when creating the workspace. Workspace data is processed and stored in that region. Contact support for specifics needed in a compliance review.

Can I delete my workspace and the data inside it? Yes. A workspace admin can request deletion from workspace settings. Deletion removes workspace data from active systems, with backups expired according to the standard retention schedule.

Does Letaido or Ahrefs read my chats? No. Workspace data is private to your team. Letaido staff access workspace contents only when you raise a support request that requires it, with your explicit consent on that request.

Last updated 2026-06-11