Security brief

Enterprise‑grade by design

TrustPlane runs inside your VPC/VNet. Sensitive inputs/outputs never traverse a vendor proxy. We standardize identity, policy, routing, and audit across providers—so you can approve once and reuse across use cases. Target outcomes: ≤ 7 days time‑to‑evidence and ≤ 90 days pilot → certificate-verified production.

SOC 2 Type II (fieldwork Oct 2025; report window Q2 2026)— evidence and the engagement letter are included in the Security Pack.

Get the Security Pack Talk to security & compliance

Instant redacted downloads (EU AI Act, NIST AI RMF, SOC 2 roadmap, Action Certificate sample) unlock after email capture; signed copies and SIG Lite/CAIQ responses arrive automatically after form submission.

How TrustPlane governs a request

In your VPC • No public ingress

Request path

Apps, agents, or humans send requests through the TrustPlane gateway running in your VPC/VNet.

→

Policy engine

Identity, residency, budget, and evaluation contracts enforced before any side-effects.

→

Learning Controls

Golden sets, drift monitors, and reviewer feedback captured for every promotion gate.

→

Action Certificate

COSE-signed attestation minted with policy hash, approvals, rollout scope, and telemetry references.

→

Downstream verification

Applications, data stores, and automation hooks verify certificates locally before executing writes.

→

SIEM & analytics

OpenTelemetry spans stream to Splunk/Datadog for audit, FinOps showback, and incident response.

Request → policy → Learning Controls → certificate minting → downstream verification → SIEM export. Diagram applies to AWS, Azure, and GCP private modes.

Controls at a glance

In‑VPC / customer‑owned

Deploys to your AWS/GCP/Azure. No public ingress for private modes.

SSO + SCIM

Okta, Microsoft Entra ID, Ping. Least‑privilege roles & ABAC/RBAC.

BYOK/KMS + residency

Customer‑managed keys; data residency options (US/EU).

Private networking

VPC/VNet peering; egress controls; no data path to vendor compute.

Deterministic audit

Per‑action lineage, evaluator decisions, policy version hashes.

Evidence packs

Export bundles for EU AI Act / NIST AI RMF / internal audits.

Architecture & data flow

Deployed to your AWS/GCP/Azure account; no public ingress required for private modes. The gateway/sidecar evaluates policy and SLOs on the request path and emits OpenTelemetry for full lineage. Model/tool routing is vendor‑neutral and policy‑driven, with rollback safe‑modes.

Data protection & BYOK

At rest via customer‑managed keys (BYOK/KMS); HSM-backed options supported across AWS KMS, Azure Key Vault, and Google Cloud KMS with automatic rotation. In transit via TLS 1.2+. Optional PII detection and masking. Configurable retention/redaction for prompts, completions, and traces; export to SIEM and eDiscovery vaults.

Identity & access

SAML SSO (Okta, Microsoft Entra ID, Ping) and SCIM provisioning. Role‑based and attribute‑based controls, least‑privilege defaults, just‑in‑time access, and immutable audit of approvals and changes.

Network security

Private networking (VPC/VNet peering) with security groups and egress controls. For private deployment modes there is no data path to TrustPlane‑hosted compute.

Deployment modes

Mode	Ingress	Connectivity	Use cases
Private	No public ingress; outbound egress optional	VPC/VNet peering only	Regulated workloads, air-gapped environments
Private-peered	Private ingress via load balancer	Private link or service endpoints	Hybrid cloud, marketplace procurement
Hybrid	Controlled public ingress with IP allowlist	Outbound egress restricted to approved model/tool endpoints	Bring-your-own model endpoints, partner-hosted inference

Observability & audit

OpenTelemetry and Datadog/Splunk exports; per‑action lineage with policy version hashes and evaluator decisions. Artifact signing uses COSE; optional transparency log in your account.

OpenTelemetry → SIEM mapping

Each Action Certificate emits an OpenTelemetry span with identifiers you can query downstream.

span.attributes = {
  'trustplane.certificate_id': 'cert_8f24a3d1',
  'trustplane.policy_version_hash': 'sha256:9c73…f5a0',
  'trustplane.approvals': ['security','finops','data-owner'],
  'trustplane.rollout.percent': 25,
  'trustplane.learning_contract': 'golden:v1'
};

// Splunk example query
index=trustplane sourcetype=otel span trustplane.certificate_id=cert_8f24a3d1
| stats count by trustplane.policy_version_hash, trustplane.rollout.percent

Vulnerability management

Weekly dependency scanning, SBOMs and image signing. Runtime baseline alerts; customer images attested prior to deploy.

Incident response

24×7 on-call. Sev1 triage within 15 minutes, customer communication within 60 minutes, and mitigation updates every four hours until resolved. Post-incident reviews delivered within five business days with corrective actions tracked to closure.

Compliance & privacy

SOC 2 Type II program underway; external auditor engaged with fieldwork beginning October 2025 and an expected report window of Q2 2026. Auditor engagement letter is available under NDA. GDPR alignment (DPA, EU SCCs where applicable) and AI governance mappings ship in every evidence bundle. Request the SIG Lite, CAIQ, and pen-test executive summary via the security form—an auto-response sends redacted copies immediately. Enterprise procurement is available via private offer on AWS/GCP/Azure Marketplace upon request. Review currentsub-processorsand request signed copies via the security contact form.

Shared responsibility model

TrustPlane provides the control plane (identity, policy, connectors, audit). You govern data, network boundaries, IAM/KMS, and vendor DPAs. Reference Terraform and hardening guides are supplied; you retain keys and residency controls.

TrustPlane	Customer
Gateway images, policy engine, certificate signing, observability export	Cloud account, IAM roles, network peering, security group enforcement
SSO/SCIM app configuration guidance, RBAC/ABAC templates	Approver roster, identity proofing, SCIM provisioning, role review cadence
Policy packs, Learning Controls defaults, evidence bundles	Policy approval, data classification, evaluation contract selection
Certificate schema, transparency log tooling, SDK verifiers	Certificate verification before writes, SIEM queries, revocation handling

Action Certificates (attested writes)

Every sensitive write mints a signed, portable certificate including policy hashes, evaluation results, approver identities, rollout scope, and SLO/cost snapshots. Downstream systems may require a valid certificate before any side‑effects.

COSE‑signed, verifiable artifact per action
Portable across ServiceNow, Snowflake, Slack, Databricks
OTel → Splunk/Datadog; retention & eDiscovery friendly
Optional transparency log (append‑only) in your account

Evidence bundles (EU AI Act / NIST AI RMF)

We map identity, policy, audit, and certificates into exportable evidence packs for Security, Legal, and Audit.

• Control mappings with policy version hashes
• Per‑action lineage + certificate links
• DPIA/LLM‑risk templates & runbooks

FAQ

Do you run inside our VPC/VNet?

Yes—deployment is in your cloud account so compute and data remain within your perimeter. Private modes require no public ingress.

Do you train on our data?

No—unless you opt in. Model providers and open‑weights are selectable by policy. Routing is vendor‑neutral.

How do you handle secrets and keys?

BYOK/KMS with customer‑managed keys. Reference Terraform & hardening guides help you enforce residency, egress, and IAM scopes.

What artifacts are available for procurement?

SOC 2 program materials, DPIA/LLM‑risk docs, DPA/SCC templates, and Action Certificate samples. Request the full pack below.

Request the full security pack View deployment quickstart

Procurement & risk shortcuts

Security review support (questionnaires, diagrams)
SOC 2 program / Type II roadmap
Data residency controls (US/EU), BYOK/KMS
SIEM streaming (OTel → Datadog/Splunk)