Trust Center — Datacendia | Security, Compliance & Data Handling

✅ Verified Build Status

These metrics are verifiable by running npm test in our repository.

205,081

Automated Tests →

100%

Pass Rate

45

AI Council Agents

26

Languages

View Security Test Details

Prompt Injection: CendiaGuard™ blocks malicious prompts ✓
Jailbreak Attempts: DAN/evil mode attacks refused ✓
Data Extraction: System prompt revelation blocked ✓
Bias Testing: 11 tests for discrimination, fraud, ethics ✓
Air-Gap Verification: 11 tests confirm zero external calls ✓
Rubric-Based Consistency: LLM nondeterminism tolerance validated ✓

Last verified: February 21, 2026 · View on GitHub

📜 Published Conformance Statements

Self-attested conformance statements mapping Datacendia's architecture to major AI governance frameworks. Each document includes cryptographic content hashes for integrity verification.

ISO/IEC 42001:2023

AI Management Systems — Conformance Statement

PDF · Download →

NIST AI RMF

AI Risk Management Framework — Alignment Document

PDF · Download →

EU AI Act

Regulation (EU) 2024/1689 — Conformance Statement

PDF · Download →

SBOM

Software Bill of Materials — CycloneDX Format

JSON · Download →

All PDFs include SHA-256 content hashes on the final page for independent integrity verification. Published February 6, 2026.

Deployment Options

Mode	Data Location	Our Access	Setup Time
Private Cloud	Your VPC	Metadata only	Days
On-Premises	Your data center	None	Weeks
Air-Gapped	Isolated network	None	Weeks+

Data Handling

Data ingested Read-only from your sources; we don't modify origin systems
Data stored Evidence ledger + decision artifacts (encrypted at rest)
Data retention Configurable; default 90 days for logs, indefinite for audit ledger
Data export Full export available anytime (JSON, PDF, raw artifacts)
Training on customer data Never. Your data is not used for model training.

Compliance Roadmap

Last updated: 2026-02-06

ISO/IEC 42001:2023

AI Management Systems. Self-attested conformance statement published.

Published · PDF

NIST AI RMF

AI Risk Management Framework. GOVERN, MAP, MEASURE, MANAGE functions mapped.

Published · PDF

EU AI Act

Regulation (EU) 2024/1689. Articles 5–15 mapped, deployer obligations addressed.

Published · PDF

SOC 2 Type II

Control mapping complete. Evidence collection in progress.

Target Q2 2026 (as of Jan 2026)

ISO 27001

Gap assessment complete. Implementation roadmap defined.

Target H2 2026 (as of Jan 2026)

GDPR

Data processing controls implemented. DPA available on request.

Aligned

FedRAMP

Architecture designed to FedRAMP Moderate controls. IL4/IL5 pathway documented for DoD deployments.

Control-Ready · IL4/IL5 Pathway

CMMC 2.0

Cybersecurity Maturity Model Certification. Architecture supports Level 2 (Advanced) controls for CUI protection. Level 3 (Expert) pathway documented for defense contractors.

Architecture-Ready

HIPAA / HITECH

PHI never processed by Datacendia — runs entirely on customer infrastructure. BAA available for private cloud deployments where applicable.

Architecture-Aligned

Incident Response & Security Testing

Incident Response SLA

Critical (P1): 4-hour acknowledgment, 24-hour remediation target
High (P2): 8-hour acknowledgment, 72-hour remediation target
Medium (P3): 24-hour acknowledgment, next release remediation
Sovereign tier customers receive dedicated incident response with custom SLAs.

Security Testing Summary

SAST/DAST: Automated static and dynamic analysis on every build
Dependency Scanning: Continuous CVE monitoring via SBOM (CycloneDX)
AI-Specific Testing: Prompt injection, jailbreak, data extraction, bias — 204,000+ automated tests
Penetration Testing: Third-party pen test scheduled for H1 2026. Results will be available under NDA.
Full test breakdown available at Test Results →

Subprocessors

Private Cloud / On-Prem / Air-Gapped: No subprocessors. All processing occurs within your environment.

Distribution vs Data Processing

Datacendia separates software distribution from data processing:

Software distribution Available via AWS Marketplace (procurement/delivery channel only)
Runtime location Your infrastructure (on-prem, private cloud, or air-gapped)
Customer data hosting Never hosted by Datacendia — stays in your environment
Air-gapped updates Offline install bundles available; no outbound connectivity required
Telemetry / call-home None required; license validation supports offline mode

Retention & Deletion

Retention policies are configurable per deployment. Default settings:

Operational logs 90 days default (configurable 30–365 days)
Audit ledger (decisions) Immutable by design; retention customer-controlled
Evidence packets Retained until customer-initiated purge
Personal data separation PII can be purged independently of audit metadata
Customer-controlled deletion Full data export + deletion available on request

Note: "Immutable" refers to tamper-evidence (append-only with cryptographic hashing), not inability to delete. Customers can purge data per their retention schedules while maintaining audit integrity hashes.

✍️ CendiaNotary™ — Cryptographic Signing Authority

Every decision, every audit entry, every evidence packet is cryptographically signed with your keys. We never see them. Non-repudiation guaranteed.

AWS KMS

Native integration with AWS Key Management Service

Azure Key Vault

Full support for Azure's managed HSM service

HashiCorp Vault

Enterprise secrets management integration

Local Air-Gapped

File-based keys for fully isolated deployments

What CendiaNotary Signs

Decision Packets: Every Council deliberation outcome
Audit Ledger Entries: Append-only log with chain integrity
Evidence Bundles: Compliance exports for regulators
Test Reports: Signed verification of system health

Zero-Trust Principle: Datacendia never has access to your signing keys. All cryptographic operations occur within your infrastructure.

🏛️ CendiaVault™ — Unified Evidence Storage

All decision artifacts, audit trails, and compliance evidence in one searchable, retention-compliant vault. Immutable storage with legal hold support.

Decision Packets

Council deliberation outcomes

Audit Ledger

Immutable action log

Evidence Bundles

Regulator-ready exports

Signed Reports

Test & compliance PDFs

Retention Policies

Standard: 7 years (regulatory default)
Extended: 10 years (financial services)
Permanent: Legal hold / litigation
Custom: Per your compliance requirements

Integrity Guarantees

SHA-256 content hashing
CendiaNotary™ signatures
Merkle tree verification
Tamper-evident append-only design

Legal Hold: Artifacts can be placed on litigation hold, preventing deletion regardless of retention policy. Release requires explicit authorization.

Shared Responsibility Model

Security responsibilities vary by deployment mode:

Responsibility	Air-Gapped / On-Prem	Private Cloud (VPC)
Infrastructure security	Customer	Customer + Cloud Provider
Network security	Customer	Customer
Identity & access (IAM)	Customer	Customer
Encryption keys (KMS/HSM)	Customer	Customer
Application updates	Customer (offline bundles)	Customer (with Datacendia support)
Application security	Datacendia	Datacendia
Vulnerability patching	Datacendia (provides patches)	Datacendia (provides patches)

Vulnerability Disclosure Policy

We appreciate responsible disclosure of security vulnerabilities.

Report to security@datacendia.com
Acknowledgment Within 48 hours
Status updates Regular updates during remediation
Safe harbor No legal action for good-faith research

See security.txt for machine-readable disclosure information.

Anonymized Pilot Case Studies

Four anonymized case studies from real pilots — industrial manufacturing, financial services, healthcare, and public-sector adjacent. No inflated metrics. No AI accuracy claims.

Industrial Manufacturing

"It forced us to be explicit about why we chose to do it."

Financial Services

"The value wasn't the recommendation — it was the evidence trail."

Read All 4 Case Studies →