Built for the kind of trust enterprise demands.
Compliance, security, privacy, and operational transparency in one place. The same posture you would run yourself - audited by independent firms, documented, and accountable.
Audited, documented, accountable.
Where we stand today and where we are heading. Status is honest - in-progress is in-progress, on-request is on-request. Attestation letters available under NDA.
SOC 2 Type II
Independently audited annually by a top-tier CPA firm. Bridge letter available; full report shared under NDA.
Learn moreGDPR & DSGVO
Article 28 ready, EU data residency by default, full data subject rights, processor-of-record documented per activity.
View GDPR detailsDPA
Sign our standard DPA electronically in minutes - no legal review back-and-forth required for the baseline terms.
Sign the DPAISO 27001
Statement of Applicability drafted, controls mapped. Formal certification target Q4 2026 once SOC 2 Type II lands.
See the roadmapHIPAA-ready
BAA and HIPAA-aligned controls available for healthcare customers on enterprise plans. Talk to us before you onboard PHI.
Request a BAASub-processors
Full list with legal entity, region, and purpose. Subscribe for 30-day change notifications before any new vendor processes your data.
View the listFour controls every security team asks about first.
The four questions every security questionnaire opens with - answered confidently, with specifics, before you have to ask.
Encryption
TLS 1.3 in flight, AES-256 at rest, keys rotated quarterly under a dedicated KMS. BYOK / customer-managed keys available on enterprise.
- TLS 1.3 everywhere
- AES-256 at rest
- Customer-managed KMS option
Access control
Single sign-on via SAML or OIDC, SCIM provisioning, role-based access control, audit log streaming to your SIEM of choice.
- SSO (SAML & OIDC)
- SCIM provisioning
- Granular RBAC
- SIEM-ready audit logs
Isolation
Every agent runs in its own ephemeral micro-VM. Per-customer KMS namespaces guarantee no shared keys, no shared state, no spillover.
- Per-agent sandbox VM
- Per-customer KMS namespace
- Egress allowlist only
Observability
Every privileged action is audited, exportable, and replayable. Stream events directly into Datadog, Splunk, or your SIEM in near-real-time.
- Immutable audit log
- Session replay
- SIEM streaming
Your data stays in the region you select. No exceptions.
Pick the region that matches your customers and your regulators. Processing, storage, and backups stay inside that region's boundary - contractually documented in the DPA.
Found a security issue?
We treat researcher reports as a gift. Send us a finding in good faith and we will respond, fix, and credit you.
4AF1 2C9B 7E03 51D4 8A6F 29BD 7C4A 0F12 9E58 B6D3PlaceholderFull list, change notifications.
We work with a small, vetted set of vendors. You get 30 days' notice before any new vendor processes your data.
The artefacts procurement asks for first.
Whitepapers, attestations, and pentest reports - available either directly or under NDA, depending on sensitivity.
Security whitepaper
A deep technical overview of our architecture, controls, and threat model. Cite it in your vendor review.
Download PDFSoonSOC 2 report
Bridge letter is ready now. Full Type II report shared under NDA once our observation window closes.
Request under NDAPentest report
Latest third-party penetration testing report and findings summary, available to enterprise prospects.
Request the reportHave a security review or procurement question?
We answer most enterprise security questionnaires inside 48 hours. Talk to our security team or jump straight into the docs.
Hire your first AI engineer.
Ship by lunchtime.
5 minutes to onboard. First PR within an hour. Cancel anytime.