Security is the architecture, not a feature.
Encryption everywhere, customer-managed keys, and policy-gated autonomous action — with a cryptographically signed audit trail behind every decision.
Encrypted everywhere, owned by you.
Encryption at rest
AES-256-GCM for all persisted data, with customer-managed keys via AWS KMS, Azure Key Vault, or HashiCorp Vault.
Encryption in transit
TLS 1.3 mandatory; mutual TLS for all inter-service communication.
PII tokenization
Format-preserving encryption for sensitive identifiers.
Zero-knowledge on-prem
Raw customer data never leaves the customer environment in on-premise deployments.
Least privilege, enforced and logged.
- Role-based access with attribute-based policy overlays (RBAC + ABAC).
- SCIM provisioning and SAML/OIDC single sign-on.
- Just-in-time elevated access via PAM integration.
- Immutable, tamper-evident audit store for all admin actions.
Nothing fires without a matching rule.
Every autonomous action is governed by Open Policy Agent (OPA). No agent can act without a matching allow rule, and every action is logged with cryptographically signed, Merkle-anchored audit trails.
Certifications shown as targets — never before earned.
We display each certification's status honestly. The dates below are targets on our roadmap, not achieved certifications. Badges appear only once an audit completes.
| Certification | Scope | Target |
|---|---|---|
| SOC 2 Type II | Security, Availability, Confidentiality | Year 1 |
| ISO 27001 | Information security management | Year 1–2 |
| GDPR / CCPA | Data residency and privacy | Year 1 |
| PCI DSS Level 1 | Card-data handling pathways | Year 2 |
| FedRAMP Moderate | US public-sector deployments | Year 2–3 |
Target — not yet certified. Status updates as each audit completes.
Bring security questions. We have answers.
Walk through our architecture, key management, and deployment models with our team.