SECURITY / TRUST// 2026

Private by default.
Auditable by design.

Agentic infrastructure on a plant floor is only useful if it can be trusted end-to-end. We ship with SLM-on-your-infra, read-only source connections, immutable audit trails, and a deployment model that works even when the internet doesn't.

01Model posture

Why small language
models, on your infra

Frontier APIs are fine for demos and wrong for operations: your tag schema, your SOPs, your batch records are not someone else's training data. We run small, specialized models on your hardware.

/ 01

Your data never leaves

Small language models fine-tuned and served on your hardware. No egress, no SaaS round-trip. Works in fully air-gapped environments.

/ 02

Your SOPs are not training data

We never fine-tune on client data outside the client's environment. Your tag schema, your batch records, your operator notes stay yours.

/ 03

Read-only by default

Source connections to SCADA, MES, ERP are read-only. Write actions (work orders, schedule changes) flow through systems-of-record with full human-in-the-loop.

02Controls

Built-in security
at every layer

/ 01

Access & identity

RBAC integrated with your IdP (Okta, Azure AD, Google). Scoped tokens per agent. SCIM provisioning supported.

/ 02

Audit & lineage

Every agent query, every data read, every generated artifact is logged with full lineage. Immutable, exportable, compliance-ready.

/ 03

Human-in-the-loop

High-impact actions require explicit approval. Approvers see the full chain of reasoning, source evidence, and what the agent is about to do.

/ 04

Deployment modes

On-prem, private VPC, or managed SaaS. Hybrid modes supported for data-residency constraints (e.g. EU plant + US HQ).

/ 05

Model provenance

Every model's base checkpoint, fine-tuning dataset, and eval pass-rate is version-controlled in your infra. Swap models without re-auditing the platform.

/ 06

Compliance alignment

Controls aligned with SOC 2 Type II, ISO 27001, and GDPR. Industry-specific postures for pharma (GxP), food (FSMA), and OT (IEC-62443).

03Data residency

Where your data lives

RegionStatusNotes
US EastGAAWS us-east-1, us-east-2
EU CentralGAAWS eu-central-1, Azure West Europe
APACGAAWS ap-southeast-2, ap-northeast-1
On-premGAK8s or bare-metal, air-gap supported
Middle EastQ3AWS me-south-1 (planned)
04Compliance

Aligned with the frameworks
your auditors know

01

SOC 2 Type II

Security, availability, and confidentiality — aligned controls and evidence packs.

02

ISO 27001

Information-security management system practices; policies, risk register, and review cadence.

03

GDPR

Data-subject rights, cross-border transfer posture, and processor/controller agreements.

04

GxP (pharma)

Electronic records, audit trails, and computer-systems-validation alignment (21 CFR Part 11 posture).

05

FSMA (food)

Traceability and recall-readiness workflows on top of MES batch records.

06

IEC 62443 (OT)

Segmentation-aware deployment for control-network zones and conduits.

Request security docs

Need a security deep-dive?

Share your controls checklist, regulatory context, and deployment posture. We'll walk through architecture, data flow, and evidence — and line them up against your auditor's expectations.

Book a demoTalk to founder