We secure your AI. Here is how we secure ours.
STACK Vault sits inside your perimeter — not in our cloud. So most of your trust questions are about how the artifact you self-host is built, signed, and supported. Everything below is what we publish and intend to keep current.
How STACK Vault is built and shipped
Self-Hosted by Default
Vault, Compli, Compass, and the Shield/Conductor/Beacon stack all run inside your perimeter. No telemetry leaves your VPC unless you configure an explicit egress.
Signed Releases
Every container image and binary is signed with Sigstore. SBOMs are published per release. Verification instructions are included in the install kit.
Vulnerability Handling
Report any issue to [email protected]. We acknowledge within one business day and publish advisories on every fix that affects deployed instances.
Frameworks and where we are
SOC 2 Type II
In progress. Trust pack contains current control evidence and the auditor of record once engagement starts.
ISO 27001 / 42001
27001 on the roadmap for our internal corporate environment. 42001 mapped at the product level via STACK Compli.
HIPAA / Sector
Because Vault is self-hosted, BAA-ready architecture comes from how you deploy it. Reference architectures published for healthcare, financial services, and federal/defense.
What we can — and cannot — see
Customer Data
Stays in your perimeter. We do not host customer telemetry, agent prompts, embeddings, or identity stores in our infrastructure.
Aggregate Telemetry
Optional. If you opt in, only anonymized counters (release version, feature flags enabled, error class) are sent — never identity, payload, or policy content.
Support Access
Customer-initiated only. Support engineers see what you share in a support session. There is no standing back door to your deployment.