Trust Portal
The artifacts a security review needs.
Compliance status, sub-processors, vulnerability disclosure, DPA, and security documentation in one place. Honest about what is shipped and what is on the roadmap.
Last updated 2026-05-26
Connector enforcement
What is enforced today, and what is co-developed.
AIGIS does not flatten every connector into the same security claim. The trust model is asymmetric and disclosed before a production security review.
Salesforce
Salesforce is production-grade today
Apex with sharing, object and field checks, live record access, governed write confirmation, and append-only audit provenance.
ServiceNow
ServiceNow is design-partner co-development
ServiceNow uses a customer-configured impersonation header. Production strength depends on the customer's ServiceNow identity and authorization configuration.
SAP
SAP is design-partner co-development
SAP uses service-account access with a customer-approved user-context header. SAP is not represented as Salesforce-equivalent enforcement.
Compliance status
Where we are on attestation.
SOC 2 Type I
In audit window
Engaged Vanta 2026-05-23. Type I report target Q4 2026. Bridge letter from Vanta available on request.
SOC 2 Type II
Target Q3 2027
12-month observation period begins after Type I close. Continuous control monitoring via Vanta.
GDPR
DPA available
Standard Contractual Clauses (Module 2) incorporated. DPO contact: dpo@governed.dev. EU residency on the multi-region roadmap.
EU AI Act
Art. 12 + Art. 14
Provenance ledger designed to satisfy Art. 12 logging. Two-stage write confirmation satisfies Art. 14 human oversight.
Sub-processors
Every third party that touches customer data.
We commit to 30 days written notice before adding a new sub-processor. Customers under a signed DPA receive notice via email.
| Sub-processor | Purpose | Data type | Region | Contract |
|---|---|---|---|---|
| Supabase | Auth, Postgres, Vault (KMS-backed secrets) | Org metadata, membership, system-connection metadata, audit log refs, secret references | US (AWS us-east-1) | DPA in place |
| Railway | Engine compute and Postgres | Engine memory and state at runtime, engine-side audit log + identity map | US-East | DPA in place |
| Cloudflare | Edge CDN, Workers, WAF, DDoS | Marketing and console page traffic, request metadata | Global edge | DPA in place |
| Anthropic | LLM inference (Claude family) | Masked, governance-filtered prompts and responses (no training on customer data) | US | DPA available; BAA on request |
| OpenAI | LLM inference (GPT family) | Masked, governance-filtered prompts and responses (zero retention available) | US | DPA available |
| Resend | Transactional email | End-user email addresses, email envelope and body | US / EU | DPA available |
| Stripe (incl. Atlas) | Payments, original incorporation | Customer billing data, tokenized payment methods | US | DPA in place |
| Sentry | Error monitoring | Stack traces and metadata, PII-scrubbed | US / EU | DPA available |
| PostHog | Anonymized product analytics | Anonymized usage events (no prompts, responses, or records) | US (EU self-hosted on Enterprise) | DPA available |
| Vanta | SOC 2 audit evidence collection | Internal compliance evidence only — no customer data | US | DPA in place |
Customers may subscribe to sub-processor change notifications by emailing security@governed.dev with subject "sub-processor notifications".
Vulnerability disclosure
Report a security finding to security@governed.dev.
Good-faith security research is welcomed and protected by safe harbor. We acknowledge within 1 business day and triage within 5.
Reporting
Email security@governed.dev. PGP key fingerprint published at /.well-known/security.txt. Include reproduction steps and impact.
Bug bounty
Acknowledgement and hall-of-fame credit today. Private bounty H2 2027. Public bounty 2028. We retroactively reward eligible reports when the program launches.
Full disclosure policy: docs/security/vulnerability-disclosure-policy.md.
Data Processing Agreement
A signed DPA is available on request.
Standard Contractual Clauses (Module 2: controller-to-processor) included for EU transfers. DPO contact at dpo@governed.dev.
We sign a customer DPA before any production workload that processes personal data of EU data subjects. Contact sales@governed.dev to start the review.
Documentation
Downloads for the security team.
Security white paper
PDF — coming soon
Sub-processor list
Canonical list with 30-day change notice
Data Processing Agreement
Signed DPA available on request
Customer security questionnaire (CAIQ-Lite, SIG-Lite) responses are pre-filled and available on signed-NDA request via security@governed.dev.
Trust portal last updated 2026-05-26. The companion engineering page is at /security.