This article answers some of the most frequently asked questions (FAQ) about Payhawk’s security strategy for its AI agents.
How secure is the Payhawk platform when using AI agents?
Payhawk’s AI Agents are operated under the same security framework and controls as the rest of the Payhawk platform. This includes segregated environments to limit potential impact and role-based access controls (RBAC) to ensure AI agents’ permissions are restricted to their intended function.
How are confidential team communications and sensitive data safeguarded?
The communication is transmitted over TLS-encrypted channels.
Sensitive request data is logically segregated per customer account and user, preventing cross-tenant data access.
Access to the service is authenticated using existing identity and access management controls.
What level of security is implemented for the Travel AI Agent?
The Travel AI agent is implemented using a defense-in-depth approach. It operates as a standalone service that is logically and technically segmented from the cardholder data environment (CDE). The AI Agent does not process, store, or transmit payment card data.
All payments are securely handled by a trusted PCI DSS-compliant third-party payment provider, ensuring alignment with industry standards. Access controls, authentication, and data segmentation are applied to ensure that requests remain isolated per customer account and per user.
Is there any risk of data leakage when using the Travel AI Agent?
As with any system that processes user-submitted text, there is a residual risk if controls are misused or if users intentionally or unintentionally provide information beyond what is required.
That said, multiple safeguards are in place to minimize this risk:
Purpose-limited access - The AI Agent operates strictly within a defined and restricted scope, limited to handling travel-related requests only.
No access to sensitive financial data - The AI Agent has no access to cardholder data, payment credentials, or internal financial systems.
Data minimization - Only the minimum information necessary to fulfil a travel booking request is processed.
Isolated payment processing - All payments are handled by a PCI-DSS-compliant third-party payment provider, ensuring that payment data is never exposed to or processed by the AI Agent.
These controls are designed to reduce the likelihood and impact of data leakage while supporting secure and efficient travel order processing.