Security Overview
Security architecture, engineered in from the start. Encryption at every layer, zero-trust access, full audit trail, PII anonymization, EU data sovereignty. Built to satisfy regulators before you're asked.
The pillars
| Pillar | What it covers | Docs |
|---|---|---|
| Identity & RBAC | Who can do what, down to individual documents | Auth & RBAC |
| Zero-Trust | Nothing trusted by default — every request verified | Zero-Trust |
| Encryption | In transit (TLS 1.3), at rest (AES-256), in use | Encryption |
| Anonymization | PII replaced with reversible tokens before leaving perimeter | Anonymization |
| Audit Log | Every action immutably logged, exportable | Audit Log |
| GDPR & Compliance | Regulatory frameworks aligned by architecture | GDPR & Compliance |
What we aim for
Data sovereignty
Your data stays where you put it. EU-hosted by default. Self-hostable for workloads that can’t leave your infrastructure. Air-gappable for classified environments. No transatlantic data transfers unless you explicitly opt in.
Least privilege
Every user, every agent, every tool has the narrowest possible access. Per-Base, per-document, per-action. No “just give admin for now” anti-pattern — our roles are granular enough that you don’t need to.
Deterministic guarantees
Where security matters most, rules run before ML. Dictionary-based anonymization produces 100% coverage of known terms. Allowlists are absolute. RBAC decisions are not probabilistic.
Auditable by default
Every action logged. Every config change attributed. Every approval signed. Export-ready for internal audit, external auditors, regulators, or court proceedings.
Compliance frameworks
We align with or certify to:
| Framework | Status |
|---|---|
| GDPR | Core. DPA template in every contract. |
| EU Data Act | Aligned — data portability first-class |
| DORA | Aligned — operational resilience requirements met |
| ISO 27001 | In progress |
| SOC 2 Type II | In progress (Q3 2026) |
| IEC 62443 | Industrial control systems — guidance aligned |
| NIS2 | Critical infrastructure aligned |
| HIPAA-equivalent | For US healthcare partners on request |
Breach & incident policy
- Contractual breach notification within 24 hours
- Public incident log with post-mortems
- Bug bounty programme for security researchers
- Penetration test reports available on request (under NDA)
Security review resources
Everything your CISO / DPO needs, available on request:
- Security architecture document
- Penetration test reports (latest + historical)
- DPA / SCC templates
- SOC 2 scope (once certified)
- Data flow diagrams
- Subprocessor list
- Incident response playbooks
Related
- StellarGate — privacy proxy product detail
- Air-gapped — maximum-isolation deployments