Security & Compliance

Sovereign-grade security. Honestly disclosed.

Defense-in-depth across six control domains — infrastructure, data, identity, application, monitoring, and AI governance — with a cryptographic audit trail, zero-trust networking, and continuous compliance monitoring aligned with Fed/OCC/FDIC SR 26-2, the EU AI Act, and DORA. Our compliance status is conservative by design: we never claim an attestation we have not received.

o.slieptsov@saa-alliance.com· /.well-known/security.txt

How we build, not what we sell

Defense-in-depth, not perimeter trust.

Every request authenticated independently; mTLS service-to-service; identity-based admin access; no implicit network trust.

Every AI verdict carries a cryptographic audit trail.

Input-snapshot hash · kernel & model versions · governor decisions · calibration state · output hash — aligned with SR 26-2 and EU AI Act Article 12. Any historical verdict replays bit-for-bit.

Compliance status is honest, not aspirational.

«In progress» means building — not vapourware. «Aligned» means defensibly evidenced. We do not claim attestations we have not received. The posture below is conservative by design.

Critical CVEs patched in 24 hours.

Continuous scanning across infrastructure, containers, dependencies, and application code, tracked in a central register. CVE-free status is published only with a verification date — never as a standing claim.

Coordinated disclosure is the default.

Security reports acknowledged within 24 hours; a clear remediation timeline — Critical 24 h · High 7 d · Medium 30 d.

Compliance posture

We do not claim an attestation we have not received.

SOC 2 Type IIIn progressControls implemented; evidence tooling deployed; independent audit scheduled. No report issued yet — period & CPA firm published on completion.

ISO 27001In progressISMS underway; gap assessment complete; target Q3 2026. No certificate issued.

GDPR / UK GDPRIn progressPrivacy policy, DPA template, RoPA, DPIA workflow in build-out; data-subject rights operational via founder-direct privacy contact.

CCPA / CPRAIn progressConsumer rights documented and operational via founder-direct privacy contact; we do not sell personal information.

DORA · EU 2022/2554In progressICT-risk mapping, incident classification, sub-processor register, TLPT scope; artefact pack in build-out.

EU AI Act · 2024/1689In progressPer-verdict cryptographic audit trail, human-oversight controls, risk-management file scaffolding; conformity file in build-out.

NIST CSF 2.0AlignedControls mapped to Govern / Identify / Protect / Detect / Respond / Recover. Voluntary framework — alignment, not certification.

Public trust & status pagesRoadmapDedicated trust-center and status subdomains are planned. Until then, this page and the NDA trust pack are the single source of truth.

HIPAARoadmapNot in scope; BAA + PHI controls planned for future healthcare design partners.

PCI DSSNot applicableNo cardholder data on SAA infrastructure; processing delegated to PCI L1 processors.

FedRAMPNot applicableNo federal tenants targeted; re-assessed if a federal design partner enters the pipeline.

Live status reflects operational maturity, not formal attestation. Qualified counterparties obtain the SOC 2 readiness report, ISO 27001 gap summary, DORA artefact pack, EU AI Act conformity file, SIG Lite / CAIQ response, and the SR 26-2 third-party model-validation pack under NDA.

Defense-in-depth · six control domains

01 · Infrastructure

Infrastructure

Multi-AZ cloud with Kubernetes pod isolation and no public data-plane exposure. Zero-trust networking — mTLS and identity-based admin access. Distroless containers with image scanning in CI; edge WAF and DDoS protection.

02 · Data

Data

AES-256-GCM at rest with customer-managed keys; TLS 1.3 only in transit; column-level PII encryption. Region-locked residency — US / EU today, APAC on customer demand, no cross-region by default; four-tier classification with PII detection on ingestion.

03 · Identity & access

Identity & access

SSO (SAML 2.0 / OIDC) with MFA enforced (TOTP / WebAuthn / FIDO2). RBAC and ABAC; secrets in a managed vault with rotation; an immutable identity audit log — 365 days, tamper-evident hash chain, SIEM export.

04 · Application

Application

OWASP SAMM-aligned SDLC with mandatory review for security-sensitive changes. SAST, DAST and dependency scanning in CI; API rate-limiting and field-level authorization; adversarial-input detection and prompt-injection sanitisation on all LLM lanes.

05 · Monitoring & IR

Monitoring & incident response

Centralized metrics, logs and traces with security dashboards and operational escalation. NIST SP 800-61-aligned incident-response plan with severity classification and 72-hour breach notification; BCP / DR testing on a quarterly cadence.

06 · AI governance

AI governance · Responsible AI

Verdicts are rule-based and deterministically computed; humans approve release. Low-confidence verdicts auto-escalate; systematic-error and drift monitoring with dissent attribution; instant agent kill-switch.

Audit & evidence

Every verdict is cryptographically bound and replayable.

HMAC verdict trail signed per decision; ed25519 hash-chained, append-only ledger.

5 decision-integrity invariants enforced at write time; 7-rule math-to-narrative audit; 1 hash / 1,000 fresh-process repeats — bit-for-bit determinism.

Infrastructure hardening — 11 / 11 controls PASSverified 2026-05-27 · least-privilege audit role
S3 Object Lock (evidence archive — 7-year retention), SSE-KMS, deny-insecure-transport, lifecycle to deep archive, encrypted EBS, restricted ingress.

The evidence archive underpins alignment with FRTB-IMA · MiCA · SR 26-2 record-keeping — per-framework status in the register above (single source of truth).

Request the institutional Trust Pack

Coordinated disclosure · RFC 9116

security.txt — /.well-known/security.txt
Contact — o.slieptsov@saa-alliance.com (founder-direct; dedicated security alias on the roadmap)
Acknowledgment — within 24 hours
Remediation — Critical 24 h · High 7 d · Medium 30 d
PGP — public key on request · researcher credit offered
Scope — saa-alliance.com · *.saa-alliance.com · platform APIs
Languages — en, ru