Security & Compliance
Trust Center
Privacy-first, self-hosted deployment with transparent evidence and clear responsibilities.
Security Posture
We employ a defense-in-depth strategy, securing the software supply chain from commit to container.
Supply Chain
- Cosign-signed images (keyless OIDC).
- SBOM + SLSA provenance.
- Weekly CVE scans (break-on-critical).
Runtime Protection
- Hardened containers (non-root, read-only).
- Seccomp & AppArmor profiles.
- Secrets via KMS/Secrets Manager.
Data Sovereignty
- Runs entirely in your VPC/VM.
- No data egress by default.
- Customer-controlled retention.
Regulatory Mapping1
- EU AI Act & FCA PS22/9.
- ECOA / Reg B & SR 11-7.
- OSFI B-10 & APRA CPS 230.
1. Mapping only: references indicate internal checkpoints; they do not constitute certification or legal advice.
Evidence Chain
Input Data
→
Simulation
→
Evidence Pack
Every run emits a signed manifest (SHA-256) linking input hash → model parameters → outputs (PDF, metrics, generators).
Evidence is retrievable by Task ID, providing a complete audit trail from data ingestion to final report.
Where a component's licence requires reproduction of NOTICE text, the relevant excerpt is provided alongside the SBOM.