Trust posture · receipts > promises
Built to pass the security review you haven't asked for yet.
Five default behaviours. One claim taxonomy. Everything externally visible carries receipts.
Defaults
Data residency
Compute runs in GCP under a per-engagement project, encrypted at rest with a customer-scoped KMS key (CMEK). Models do not train on your data.
Read-only diagnostic
Diagnostic ingests are read-only. Write-back happens only after the managed-run SOW is signed and per-workflow approver roles are configured.
Evidence ledger
Every action carries source, policy decision, approval state, output, cost, outcome, rollback path. Manifests are hash-chained and exported to a private GitHub repo you own.
Deletion-proof exit
At engagement end, all per-engagement resources are deleted under a signed deletion manifest. The evidence ledger is exported to your repo before deletion.
No marketing without consent
Cold SMS marketing, DNC bypass, AI-edited suppression records, and agent-created consent are blocked at the policy layer. Always.
Every metric carries a claim tag
We classify every external claim into one of four tiers. The tier is visible next to the number.
Supported by company data, customer data, or production logs.
Supported by credible external research; not yet proven by us.
Plausible, useful for planning, explicitly unproven.
Internal aspiration. Never used in buyer or investor materials.