Trust

Trust built in, not bolted on.

Governance, compliance, and audit are primitives in the platform — engineered into every layer. Here's what that looks like in practice.

[Placeholder]statuses illustrative — pending verified compliance posture

Compliance posture

Where we stand on the frameworks you care about.

Statuses reflect current posture across standards most relevant to our buyers. Detailed documentation available on request under NDA.

SOC 2 Type II

In audit

FedRAMP Moderate

On roadmap

CMMC Level 2

Mapped

HIPAA

Mapped

FERPA

Mapped

ITAR

Deployment-ready

Section 508 / WCAG 2.1 AA

Mapped

NIST 800-53 / 800-171

Mapped

Status vocabulary: Certified · In audit · On roadmap · Mapped · Deployment-ready. Specifics available in the security packet under NDA.

[Placeholder]credentials illustrative — pending verified federal data

Federal credentials

Registered, ready, reachable.

CAGE: 9PVA4
UEI (SAM.gov): WBABLTXTSLJ6
Location: Utah-based small business
Deployment: Air-gap & GovCloud ready

Security practices

The controls every deployment inherits.

Auth inheritance

Agents respect your existing identity and access model. Users only see what they're authorized to see — enforced at every call.

PII boundaries

Declarative boundaries keep sensitive fields inside your perimeter. Every third-party call is explicit, logged, and policy-gated.

Encryption at rest + in transit

TLS 1.3 everywhere. AES-256 at rest. Keys managed in Vault Transit / Azure Key Vault / AWS KMS — your choice.

WORM audit (7 years)

Every agent action is cryptographically signed and written to tamper-evident WORM storage. Independently verifiable by regulators.

HITL + kill switch

Risk-scored actions route to human approvers before execution. Circuit-breaker kill switch for emergency bulk revocation.

Incident response

24-hour disclosure commitment for confirmed incidents. Runbooks, on-call rotation, and post-incident reviews shared under NDA.

Data handling

Your data, on your terms.

Data residency

Deploy in the region and perimeter you require. GovCloud, customer VPC, on-prem, or air-gapped — the runtime is the same.

Retention & deletion

Configurable retention per data class. Right-to-delete honored end-to-end, including derived embeddings and audit-safe tombstones.

Sub-processor transparency

Current sub-processor list shared on request. Changes communicated in advance with opt-out for deployments that require it.

Governance in depth

How Sovereign Agent actually enforces the controls above.

Sub-millisecond authorization, five-layer policy evaluation, and cryptographic audit — the runtime primitives that make every control on this page real.

See Sovereign Agent

Need the security packet?

SOC 2 reports, penetration-test results, security-questionnaire responses, and data-flow diagrams ship under NDA. Reach out and we'll share within one business day.

Request security documentation