Trust center

Security and operational integrity

SoverAI is built for organizations where an AI outage or data misrouting is a supervisory event. This page is a high-level program overview for diligence and working sessions — not a legal agreement. We provide the underlying artifacts under NDA in enterprise evaluation.

Questions: security@soverai.ai

What we protect

Your prompts, retrievals, and regional configuration are treated as high-sensitivity. Our trust boundary includes the control plane, regional runtimes, and the audit surfaces you export to your GRC and SIEM tools.

Encryption everywhere that matters

Data in transit is protected with industry-standard TLS. At rest, keys are under customer or dedicated KMS policy per region, with per-tenant and per-environment scoping. We design for the uncomfortable question: if someone copied a disk, what is still protected?

Identity, least privilege, and break-glass

Administrative access is role-based, logged, and time-bounded. Production changes follow controlled paths; emergency break-glass exists but is noisier on purpose, with attestation in your systems of record, not a silent shell session.

Resilience and change management

We test backups, run tabletop exercises for regional incidents, and version configuration baselines. Change windows are scheduled with customer visibility at enterprise tiers, because your regulators care about your dependencies.

Regulatory and enterprise alignment

Security is not a binary checkbox. It is a program that maps to how your organization already proves controls to second line, external audit, and regulators.

Our roadmap includes independent penetration testing, continuous vulnerability management, and sharing executive summaries and detailed findings under MNDA and procurement flows.
We maintain an inventory of sub-processors, data flows, and the logical boundaries of customer content versus platform telemetry required to operate the service.
Customer security reviews are supported with architecture diagrams, control narratives, and answers in the form factors security teams already use (CAIQ-style where helpful).

Data handling in plain terms

We minimize collection of what we do not need to run the product. For example, we do not sell customer data to model vendors for training by default, and we scope telemetry to what is required for reliability, billing, and your configured audit exports.

Customer configuration & metadata

Project IDs, allowlists, routing choices, and integration endpoints are needed to run your agents. This metadata is access-controlled, encrypted, and part of the same audit path as your inference and agent actions in production settings.

Model and vendor dependencies

Where a supported model is supplied by a third party, the architectural goal is a region-locked data path. You should receive clear documentation of what crosses which boundary, so legal can agree with what engineering built.

Incident response

We maintain runbooks, customer notification standards for material events, and coordination paths with your CISO and privacy office. The goal is a rehearsed, boring response — not improvisation after headlines.

If something goes wrong

Enterprise agreements define severity thresholds, notification times, and evidence packs for regulators. In evaluation, we will walk you through a dry-run to match your own incident playbooks and jurisdictional needs.

What we ask of you

Mature access policies on your side, a named security sponsor for integration, and timely triage of joint follow-ups. Sovereignty is a shared design problem between SoverAI and your identity, network, and data stores.

What you can request in diligence

We expect these asks — and prepare for them.

System description and data flow diagram with regional boundaries
Penetration test executive summary and remediation log for critical findings
List of sub-processors and the purpose and location of processing for each
SOC 2 (or regional equivalent) bridge letter and change window policies
Residency and encryption matrix aligned to your data classification

Contact security See compliance coverage Technical overview

Bring your first-line team

We host joint sessions with CISO, legal, and infrastructure leads. If it helps, we can align the agenda to a specific review window or pending filing.

Request a trust session