Trust

Security Is Our Product.

GovernorAI is built with a trust-by-design approach. Zero-trust architecture, deterministic enforcement, and provable audit trails are foundational, not features.

Request a Demo Zero-Trust Architecture

Zero-Trust by Default

No agent has implicit access to any system. Every action is verified against policy. No exceptions.

Fail-Closed Architecture

If policy evaluation fails, if the gateway is unreachable, or if no policy matches—the action is denied. Always.

No LLM in Governance

GovernorAI's policy engine is purely deterministic. YAML + OPA/Rego. No probabilistic decisions. No model drift in the governance layer.

What We Log

Structured governance events: agent ID, session ID, tool name, policy decision, timestamp, latency. Designed for compliance auditing.

What We Don't Log

No raw prompts. No model outputs. No customer PII in governance logs. GovernorAI logs governance decisions, not conversation content.

Data Residency

Self-hosted deployments keep all data in your environment. SaaS deployments support region selection for data residency requirements.

Encryption

AES-256 encryption at rest. TLS 1.3 in transit. mTLS between all internal components. No unencrypted data paths.

SOC 2 Type II

Immutable audit trails, access controls, change management, and monitoring controls aligned with SOC 2 Trust Services Criteria.

GDPR-Aligned Controls

Data minimization, purpose limitation, audit logging, and data residency controls aligned with GDPR requirements.

HIPAA-Aligned Controls

Access governance, audit trails, and administrative safeguards aligned with HIPAA security requirements for AI handling PHI.

EU AI Act

Transparency, human oversight, risk management, and technical documentation controls for high-risk AI systems.

Compliance Details →

SaaS (Hosted)

Managed GovernorAI infrastructure. We handle operations, scaling, and updates. You configure policies and govern your agents.

Self-Hosted (Your VPC)

Deploy GovernorAI entirely in your infrastructure. No data leaves your environment. Full operational control.

Air-Gapped

Full GovernorAI functionality with zero external network dependencies. For environments where internet access is not an option.

Authentication & Authorization

OAuth2/OIDC for authentication. RBAC for authorization. Integration with your existing identity provider. No shared secrets.

Network Security

mTLS between all components. Certificate rotation. VPC peering for self-hosted deployments. No plaintext communication.

Incident Response & Responsible Disclosure

SentinelLayer takes security incidents seriously. Our incident response process includes:

24-hour acknowledgment for reported security issues
72-hour initial assessment and triage
Coordinated disclosure for confirmed vulnerabilities
Post-incident reports for affected customers

To report a security issue, contact security@sentinellayer.dev.

Intellectual Property

SentinelLayer has filed patent applications covering key aspects of our governance architecture, including:

Multi-cloud policy translation and transpilation
Deterministic policy enforcement without LLM in the evaluation loop
Tamper-evident audit evidence with hash-chained integrity
Fail-closed stateless enforcement gateway architecture
Provider semantic normalization including allow/deny transformations

This IP supports platform defensibility while we build an open, integration-first governance layer. SentinelLayer™ and GovernorAI™ are trademarks of SentinelLayer, Inc.

Questions About Trust & Security?

We're happy to discuss our security practices, deployment options, and compliance alignment in detail.