Government data has a long memory and a longer reach. Our security posture is built to a federal-civilian bar from day one — even where the contract is municipal.
One customer, one VPC, one set of keys. No shared anything.
Your data never trains anyone's foundation model. Contractually.
BYOK in your KMS. Rotate on your schedule. Revoke and we go dark.
Workload identity, ephemeral credentials, no shared service accounts.
Network, identity, application, and data layers — independently controlled.
Continuous control monitoring; evidence on demand.
| Framework | Status | Notes |
|---|---|---|
| SOC 2 Type II | Active | Annual audit by Big-4. Continuous monitoring. |
| FedRAMP Moderate | In process | JAB sponsor secured. 3PAO engaged. |
| StateRAMP Moderate | Active | Reciprocity with several states. |
| HIPAA | Aligned | BAA available. Full HIPAA Security Rule controls. |
| CJIS | Aligned | Personnel screened, controls mapped. |
| IRS Pub. 1075 | Aligned | For agencies handling FTI. |
| NIST 800-53 Rev. 5 | Aligned | Mod baseline. Full SSP available under NDA. |
| NIST AI RMF 1.0 | Aligned | AI-specific controls; quarterly reviews. |
| ISO 27001 | In process | Stage 2 audit Q3. |
In your tenant. AWS GovCloud (US), Azure Government, or your on-prem cluster. Never in our office.
Nowhere. We don't replicate, exfiltrate, or "telemetry" your case data. Operational metrics are scrubbed and aggregated.
Your retention schedule, enforced by us. Defensible deletion with cryptographic proof.
Your people. Our staff has no read access to your data without a break-glass approved by you.
Frontier provider zero-retention contracts. Open-weight runs offline.
Inputs are sandboxed; tool calls are signed; outputs are linted.
Citation-required mode. No-citation answer = automatic escalation.
Models see only the spans they need; rest is masked.
External adversarial testing every release.
Quarterly outcome reports across protected classes.
SAML 2.0, OIDC. Okta, Entra, Ping, PIV/CAC.
Phishing-resistant required (FIDO2, PIV).
Granular roles, separation of duties enforced.
Privileged access expires; everything is logged.
24×7 SOC, behavioral analytics, anomaly alerts within minutes.
Tenant isolation, automatic credential rotation, quarantined snapshots.
1-hour security contact notification; written within 24 hours where required.
Joint forensics. We share what we know as we know it.
Tested DR runbooks; RTO 4h / RPO 15m by default, lower on request.
Public post-mortem culture; control changes upstream to all customers.
Multiple Award Schedule, IT Cat 132-51.
For state & local cooperatives.
Reseller available for federal.
For city & county purchasing.
U.S. persons; Public Trust by default; Secret/TS where workload requires.
Annual; criminal, financial, social media on hire.
Quarterly security & AI-safety training. Phishing tested monthly.
Yes. Under NDA. Includes full controls inheritance map for your boundary.
We use enterprise contracts with zero data retention and no training. We can run open-weight models inside your boundary if you prefer.
Coordinated disclosure, public security.txt, internal SLAs of 24h critical / 7d high.
Yes — narrowly. List published. Material additions notified 30 days in advance.
SLSA-3 build provenance, signed artifacts, SBOM per release, dependency pinning.
Includes SOC 2 II report, SSP summary, sub-processor list, and architecture diagram.