← Return to Datacendia
Trust Center

Trust Center

Our security posture, deployment options, and compliance roadmap — documented honestly.

✅ Verified Build Status

These metrics are verifiable by running npm test in our repository.

204,079
100%
Pass Rate
40+
AI Council Agents
11
Languages
View Security Test Details
  • Prompt Injection: CendiaGuardâ„¢ blocks malicious prompts ✓
  • Jailbreak Attempts: DAN/evil mode attacks refused ✓
  • Data Extraction: System prompt revelation blocked ✓
  • Bias Testing: 11 tests for discrimination, fraud, ethics ✓
  • Air-Gap Verification: 11 tests confirm zero external calls ✓
  • Rubric-Based Consistency: LLM nondeterminism tolerance validated ✓

Last verified: February 21, 2026 · Metrics sourced from platform test suite · View on GitHub

📜 Self-Attested Conformance Statements

Self-attested conformance statements mapping Datacendia's architecture to major AI governance frameworks. These are not third-party audited — they document how our architecture maps to each framework's requirements. Each document includes cryptographic content hashes for integrity verification.

ISO
ISO/IEC 42001:2023
AI Management Systems — Conformance Statement
PDF · Download →
NIST
NIST AI RMF
AI Risk Management Framework — Alignment Document
PDF · Download →
EU AI Act
EU AI Act
Regulation (EU) 2024/1689 — Conformance Statement
PDF · Download →
SBOM
SBOM
Software Bill of Materials — CycloneDX Format (Platform Application)
JSON · Download →

All PDFs include SHA-256 content hashes on the final page for independent integrity verification. Published February 6, 2026. Last reviewed: March 2026.

Deployment Options

Mode Data Location Our Access Setup Time
Private Cloud Your VPC Metadata only Days
On-Premises Your data center None Weeks
Air-Gapped Isolated network None Weeks+

Data Handling

  • Data ingested Read-only from your sources; we don't modify origin systems
  • Data stored Evidence ledger + decision artifacts (encrypted at rest)
  • Data retention Configurable; default 90 days for logs, indefinite for audit ledger
  • Data export Full export available anytime (JSON, PDF, raw artifacts)
  • Training on customer data Never. Your data is not used for model training.

Compliance Roadmap

Last updated: 2026-03-06

ISO/IEC 42001:2023
AI Management Systems. Self-attested conformance statement published (not third-party audited).
Self-Attested · PDF
NIST AI RMF
AI Risk Management Framework. GOVERN, MAP, MEASURE, MANAGE functions mapped (self-attested).
Self-Attested · PDF
EU AI Act
Regulation (EU) 2024/1689. Articles 5–15 mapped, deployer obligations addressed (self-attested).
Self-Attested · PDF
SOC 2 Type II
Control mapping complete. Evidence collection in progress.
Target Q2 2026 (as of Mar 2026)
ISO 27001
Gap assessment complete. Implementation roadmap defined.
Target H2 2026 (as of Mar 2026)
GDPR
Data processing controls implemented. DPA available on request.
Aligned
FedRAMP
Architecture designed to FedRAMP Moderate controls. IL4/IL5 pathway documented for DoD deployments.
Control-Ready · IL4/IL5 Pathway
CMMC 2.0
Cybersecurity Maturity Model Certification. Architecture supports Level 2 (Advanced) controls for CUI protection. Level 3 (Expert) pathway documented for defense contractors.
Architecture-Ready
HIPAA / HITECH
PHI never processed by Datacendia — runs entirely on customer infrastructure. BAA available for private cloud deployments where applicable.
Architecture-Aligned

Incident Response & Security Testing

Incident Response SLA
Critical (P1): 4-hour acknowledgment, 24-hour remediation target
High (P2): 8-hour acknowledgment, 72-hour remediation target
Medium (P3): 24-hour acknowledgment, next release remediation
Sovereign tier customers receive dedicated incident response with custom SLAs.
Security Testing Summary
SAST/DAST: Automated static and dynamic analysis on every build
Dependency Scanning: Continuous CVE monitoring via SBOM (CycloneDX)
AI-Specific Testing: Prompt injection, jailbreak, data extraction, bias — 204,000+ automated tests
Penetration Testing: Third-party pen test scheduled for H1 2026. Results will be available under NDA.
Full test breakdown available at Test Results →

Subprocessors

Private Cloud / On-Prem / Air-Gapped: No subprocessors. All processing occurs within your environment.

Distribution vs Data Processing

Datacendia separates software distribution from data processing:

  • Software distribution Available via AWS Marketplace (procurement/delivery channel only)
  • Runtime location Your infrastructure (on-prem, private cloud, or air-gapped)
  • Customer data hosting Never hosted by Datacendia — stays in your environment
  • Air-gapped updates Offline install bundles available; no outbound connectivity required
  • Telemetry / call-home None required; license validation supports offline mode

Retention & Deletion

Retention policies are configurable per deployment. Default settings:

  • Operational logs 90 days default (configurable 30–365 days)
  • Audit ledger (decisions) Immutable by design; retention customer-controlled
  • Evidence packets Retained until customer-initiated purge
  • Personal data separation PII can be purged independently of audit metadata
  • Customer-controlled deletion Full data export + deletion available on request

Note: "Immutable" refers to tamper-evidence (append-only with cryptographic hashing), not inability to delete. Customers can purge data per their retention schedules while maintaining audit integrity hashes.

✍️ CendiaNotary™ — Cryptographic Signing Authority

Every decision, every audit entry, every evidence packet is cryptographically signed with your keys. We never see them. Non-repudiation supported by design.

AWS KMS
Native integration with AWS Key Management Service
Azure Key Vault
Full support for Azure's managed HSM service
HashiCorp Vault
Enterprise secrets management integration
Local Air-Gapped
File-based keys for fully isolated deployments
What CendiaNotary Signs
  • Decision Packets: Every Council deliberation outcome
  • Audit Ledger Entries: Append-only log with chain integrity
  • Evidence Bundles: Compliance exports for regulators
  • Test Reports: Signed verification of system health

Zero-Trust Principle: Datacendia never has access to your signing keys. All cryptographic operations occur within your infrastructure.

🏛️ CendiaVault™ — Unified Evidence Storage

All decision artifacts, audit trails, and compliance evidence in one searchable, retention-compliant vault. Immutable storage with legal hold support.

Decision Packets
Decision Packets
Council deliberation outcomes
Audit Ledger
Audit Ledger
Immutable action log
Evidence Bundles
Evidence Bundles
Regulator-ready exports
Signed Reports
Signed Reports
Test & compliance PDFs
Retention Policies
  • Standard: 7 years (regulatory default)
  • Extended: 10 years (financial services)
  • Permanent: Legal hold / litigation
  • Custom: Per your compliance requirements
Integrity Guarantees
  • SHA-256 content hashing
  • CendiaNotaryâ„¢ signatures
  • Merkle tree verification
  • Tamper-evident append-only design

Legal Hold: Artifacts can be placed on litigation hold, preventing deletion regardless of retention policy. Release requires explicit authorization.

Shared Responsibility Model

Security responsibilities vary by deployment mode:

Responsibility Air-Gapped / On-Prem Private Cloud (VPC)
Infrastructure security Customer Customer + Cloud Provider
Network security Customer Customer
Identity & access (IAM) Customer Customer
Encryption keys (KMS/HSM) Customer Customer
Application updates Customer (offline bundles) Customer (with Datacendia support)
Application security Datacendia Datacendia
Vulnerability patching Datacendia (provides patches) Datacendia (provides patches)

Vulnerability Disclosure Policy

We appreciate responsible disclosure of security vulnerabilities.

  • Report to security@datacendia.com
  • Acknowledgment Within 48 hours
  • Status updates Regular updates during remediation
  • Safe harbor No legal action for good-faith research

See security.txt for machine-readable disclosure information.

Anonymized Pilot Case Studies

Four anonymized case studies from real pilots — industrial manufacturing, financial services, healthcare, and public-sector adjacent. No inflated metrics. No AI accuracy claims.

Industrial Manufacturing
"It forced us to be explicit about why we chose to do it."
Financial Services
"The value wasn't the recommendation — it was the evidence trail."
Read All 4 Case Studies →

Related Trust Resources

DCII Framework
9 crisis immunization primitives for decision governance.
View →
War Games
Would dissent have surfaced the risk? Real-world decision failures analyzed.
View →
Case Studies
Implementation examples and anonymized pilot outcomes.
View →
ROI Calculator
Quantify the cost of ungoverned decisions.
View →
Integration Honesty Matrix
What's built, what's mocked, what's roadmap — no inflated claims.
View →
Security Architecture
Technical security controls, encryption standards, and threat model.
View →
Sovereignty Matrix
Data residency, jurisdiction controls, and deployment sovereignty options.
View →
Compliance Documentation
Framework mappings, regulatory alignment, and audit readiness guides.
View →

Need to complete a security questionnaire or schedule a security review?

contact@datacendia.com

SYSTEM STATUS: AIR-GAP READY · NO TRACKER PIXELS DETECTED

Trust artifacts reviewed monthly. Compliance roadmap dates reflect current planning as of the date shown. Claims governed by our claim governance process.