Security and Compliance

Deployment posture

The deployed product runs entirely on customer hardware with no outbound network calls. Air-gapped, on-premise. No customer operational data leaves the customer site. Development is air-gapped from production data, with structured and synthetic prompts during builds, never raw production data from customer systems.

Data handling

Append-only event log architecture provides immutability and complete audit trail. State is derived, never edited directly. All access is governed by role-based permissions with full audit logging. Backup and recovery follow customer-defined retention policies. Data residency stays at the customer site.

Standards

• ISO 27001 design principles for information security management.
• GDPR compliance for European data handling.
• NIS2 alignment for critical infrastructure cybersecurity in the European Union.
• Industry-specific regulations supported per customer (industrial fiscalisation, environmental compliance, occupational safety, banking, healthcare).

Current posture

We are pre-SOC 2. Our architecture and operating practices follow SOC 2 design principles, and we will pursue formal certification once revenue scale justifies the audit cost. For customers requiring SOC 2 today, we provide our security controls documentation under NDA.