Security & compliance

Customer-managed encryption (BYOK / CMEK)

Every tenant has its own Tenant Key in the platform vault. On Pro and Enterprise tiers, the Tenant Key envelope is wrapped by a customer-managed key (CMK) in your AWS KMS, GCP KMS, or HSM (PKCS#11). The platform never holds raw key material; every decryption call hits your KMS first.

• Four-tier vault: Platform KEK → Tenant KEK → DEKs → Per-resource keys.
• Revoke the grant on your CMK and this tenant's data becomes undecryptable platform-wide within ~30s. Documented kill-switch.
• SIEM forwarder for all key-usage events so your SOC sees them live.
• Cryptographic shredding for right-to-be-forgotten and time-bound retention.

Audit chain

Every admin-side action, every credential lifecycle event, every AI completion, every consent change appends to a per-tenant SHA-256-chained ledger. Chains are verified on a configurable cadence; chain breaks emit audit.chain.break.v1 events. Three retention classes apply automatically — transient (7d), operational (90d), regulated (7y).

• Per-tenant chain heads so a regional incident doesn't cascade across tenants.
• Hash-chain proof export (PDF or JSON) for compliance review.
• Trace IDs cross-link audit rows to Langfuse, OpenTelemetry, and provider invoices.
• Tamper detection via the background verifier scheduler; alarms on break.

Identity & access

Every JWT carries a six-layer scope (Master Person, App Identity, Tenant Membership, Persona, Encounter, Relationship). Every API call is filtered through those scopes — there's no path to another tenant's data, even by accident. The signing key rotates quarterly; old tokens drain through a 10-minute grace window so you don't outage on rotation.

• Social IdP (Google, Microsoft, Apple), SAML SP, SCIM 2.0 provisioning.
• MFA challenge, step-up auth on sensitive operations.
• Impersonation grants require approver + reason; emit a regulated-class audit event.
• Three-evaluator policy mesh (consent, ReBAC, RBAC) decides every authorize call.

Deployment posture

Shared multi-region for Starter and Pro; sovereign regions and air-gapped on-prem for Enterprise. No customer data crosses a region boundary without an explicit data-residency event.

• Pool-based horizontal scaling — no sharding, no manual capacity planning.
• Active-active multi-region with chaos drills as a first-class operation.
• Sovereign region pinning (EU, UK, FedRAMP, StateRAMP, IL5, PIPL).
• Air-gapped on-prem bundles with rollback support and local-LLM provider resolver.
• 99.9% uptime on Pro, 99.99% on Enterprise with custom MTTR.

Compliance posture

What we have today, what's in progress, and what's honestly on the roadmap. We do not claim attestations we do not yet hold. Request a letter of attestation via your account team for the latest signed statement.