Security & sovereignty

On-prem sovereignty. SaaS currency. Zero standing access in between.

Control transferred to you is trust you don't have to extend to us.

Your data never enters our custody. Our logic enters yours.

The objection, flipped.

The front door is the proof there's no back door.

We can't open a backdoor account — minting a login needs a key you never gave us.

Your data never enters our custody. Our logic enters yours.

Want nothing to leave? Cut the wire — we built for that.

Trust becomes a switch you hold, not a promise we make.

You hold the keys; we make sure the keys can't break the lock.

The SA password is yours. It never touches our app.

Checkable measures, not reassurances.

Each of these you can put in front of a CISO and verify on the merits — most of them by reading your own configuration.

Credentials & access

  • Customer-held credentials

    The app runs on a customer-provisioned, least-privilege login. You hold and rotate the credential; the app reads it from your secrets store. It is never baked into the binary.
  • The SA password is never the app's

    The SA password is never used by the application — ever. It stays the DBA's, for the DBA's use only.
  • No backdoor login is possible

    The app cannot mint a usable backdoor: you withhold securityadmin / sysadmin, so creating a login requires a privilege you never granted. Verifiable by reading your own login list.
  • Zero standing vendor privilege

    Absent an event you initiate, there is no vendor path into the environment.
  • Just-in-time break-glass

    Vendor help, when needed, is customer-triggered, scoped, time-boxed, and fully logged — an authorized transaction, not a standing condition.

Network & egress

  • You own egress

    Default-deny-and-log on everything outbound. The exit is yours to control.
  • Zero-egress / air-gapped tier

    The exit is physically cut. Nothing leaves, period.
  • Bounded AI egress

    The AI-enabled tier uses an allow-list of named destinations only. Egress is bounded, named, and inspectable — you can read every byte before it crosses the boundary.

Schema & change control

  • You own the schema

    You own the SQL Server; your DBA owns all DDL. Schema evolution runs through a guided MCP/CLI that makes illegal states unrepresentable — guard-railed, not freehand.
  • The safe path is the supported path

    Raw ALTER outside the guided path is unsupported and voids the integrity guarantee — hand-edits silently break engine invariants.
  • Meaning lives in the manifest

    The logical model is metadata; the physical layout is a generated projection with opaque surrogate names, assembled at runtime.

Data custody & IP separation

  • Data never enters vendor custody

    The vendor's logic enters your perimeter — not the other way around.
  • The engine that built it was never on your disk

    The deepest IP — the ingest / corpus-construction pipeline — runs in the vendor's cloud on the vendor's source material. Only its output lands in your database, as data, not logic.
  • Zero-retention AI terms

    AI and embedding calls run on zero-retention provider terms; content sent for processing is not retained downstream.
  • Corpus encrypted at rest

    The corpus payload is encrypted at rest — defeating backup theft, cross-tenant snooping, and casual inspection.

Telemetry

  • Off by default, opt-in

    Product-improvement logging is off by default and requires explicit, per-customer opt-in — consent as a switch you flip, not a clause buried in a EULA.
  • Sanitized and inspectable

    When on, it is sanitized of row-level content and traverses your own egress, so you inspect exactly what leaves.
  • Revocable, never depended on

    Separately revocable, and the product never depends on it.

Provenance & verification

  • Operationally equivalent to on-prem

    Equivalent on every axis — residency, perimeter, credentials, egress, schema control, no third-party custody, no standing access. The single residual gap is code provenance: you can't read every line. The rest of this ladder closes it.
  • Code escrow by default

    A neutral party holds source, released on breach or insolvency.
  • Third-party penetration testing

    Independent pentest as table stakes.
  • Reproducible builds + published hash

    Verify the running artifact against a published binary hash.
  • TEE remote attestation

    The cryptographic ceiling — proves the running binary is the audited one, holding secrets even from host root.
  • License terms with teeth

    Terms that make reverse-engineering legally radioactive.

On-prem control. SaaS currency.

Everything running it on-prem gives you, minus the one thing it costs you: maintaining it yourself.

The data control of running it yourself, without building the engine yourself.

One concession — you don't read our code. Covered by escrow, third-party pentest, reproducible-build hashes, and a perimeter you own end to end.

The one concession, and why it doesn't cost you.

One concession — you don't read our code. Covered by escrow, third-party pentest, reproducible-build hashes, and a perimeter you own end to end.

A snapshot of the warehouse is worthless against a factory that ships a better version next quarter.

Knowledge that compounds with every namespace — stale the day anyone tries to take it.

Request access Talk to the team →