Contact

Five principles. And why we don't compromise on them.

Our cybersecurity rests on five engineering and governance choices that decide whether protection actually holds. Here's each one — and the reasoning behind it.

  1. Security by-design & by-default

    built in Rust

    A stack that is memory-safe by design — the same technology that protects Cloudflare, Discord and the Linux and Windows kernels.

    Why it matters: roughly 70% of the critical vulnerabilities historically reported by Microsoft and Google are memory-safety bugs — use-after-free, buffer overflows, double frees. By writing in Rust we remove that entire class at the root, instead of chasing it patch after patch. Fewer vulnerabilities by construction means a smaller attack surface for you, and less emergency maintenance for everyone.

  2. Sovereign

    Linux, EU stack

    A European stack, end to end: where your data lives, which jurisdiction governs it, which dependencies run it — all under control.

    Why it matters: NIS 2, DORA and the AI Act all demand control over where data and dependencies sit. A security provider running on an extra-EU cloud quietly re-introduces the exact risk it's meant to reduce — opaque transfers, foreign legal access, lock-in. Sovereignty means a clear jurisdiction, no vendor lock-in, and no undocumented data leaving the EU.

  3. Auditable

    Open Source first

    Auditable dependencies, an SBOM generated at build time. Nothing you have to take on faith.

    Why it matters: trust isn't declared, it's verified. If you can't read the code that protects your company, you're delegating trust to a brand and a marketing claim. Open source and a software bill of materials give you the right to check — supply-chain provenance, known-vulnerability exposure, what actually runs — rather than just hoping the vendor got it right.

  4. Accountable

    Human-in-the-Loop

    AI accelerates the work. A person decides. The calls that carry consequences are always made by a human.

    Why it matters: a model doesn't answer to a judge, a regulator or a board. The decisions that matter in security — incident severity, escalation, crisis communication, what to disclose and when — need someone who is accountable for them. We use AI to amplify expert judgement and move faster, never to replace the person who has to own the outcome.

  5. Coherent

    self-applied

    We hold ourselves to the very standards we implement for clients — and we can prove it.

    Why it matters: we don't sell a security posture we don't practise. Agorà Security is ISO/IEC 27001, ISO/IEC 27017 and ISO 9001 certified, NIS 2 and AI Act self-assessed, GDPR by design — evidence published in our Trust Center, not behind a sales gate. If a control doesn't hold up for us, we don't recommend it to you.

These five aren't a slogan: they're the criteria we use to choose technology and design services. The proof is in the Trust Center.

Principles you can question.

Disagree with one of them? Want to see how they translate into a concrete engagement? That's exactly the conversation we like to have.

Talk to an expert →