The security overview your review needs
A self-hosted control under your own keys changes the answers on most security questionnaires. Here is the posture a procurement or compliance team needs, with the deeper architecture documents linked for your review.
Encryption and keys
The strongest answer in any review is that Verillian cannot read your content. Keys are yours, signing happens on the device, and the server holds only ciphertext.
- Customer-held keys
- Audit content is encrypted under a key your institution generates and holds, using X25519 key agreement with AES-256-GCM. Decryption requires your private key, which never reaches Verillian.
- Signing keys stay on the device
- The key that signs each captured interaction never leaves the endpoint that produced it. The admin server can verify a signature but cannot forge one, because it never holds the signing key.
- Custody, rotation, and recovery sit with you
- Because the keys are yours, key generation, custody, rotation, and recovery are operated by your institution. Operational guidance for your deployment is provided for your security team.
- The server holds only ciphertext
- Even under legal compulsion, the admin server can produce only opaque ciphertext. There is no path by which Verillian decrypts your content, because Verillian does not hold the key.
Where your data lives
Self-hosted means your deployment data stays in your environment. The only data Verillian holds is business-contact information for our own operations.
- Your deployment stays in your environment
- The sentinel and the AI audit trail run on infrastructure you operate. Your prompts, responses, tool calls, and audit trail are never sent to Verillian to hold.
- Air-gapped operation is supported
- The platform operates without outbound connectivity to Verillian, including fully air-gapped deployments. Enforcement and capture do not depend on reaching us.
- Corporate data is US-based
- The limited business-contact and website data Verillian itself holds is processed by US-based providers. The current service-provider detail is available on request.
Attestation, DPA, and BAA
Stated honestly: what Verillian is aligned to, what it does not claim, and which agreements are available for regulated buyers.
- Third-party attestation
- The self-hosted architecture keeps Verillian out of the path of your sensitive data, which narrows what a third-party attestation would cover. Verillian is aligned to the controls in CJIS Security Policy v6.0, HIPAA, and NIST 800-53. Attestation status, including SOC 2, is available on request. We do not claim a certification we do not hold.
- Data processing addendum (DPA)
- A DPA is available for institutions that require one. Because your deployment data does not flow to Verillian, the processing Verillian performs is limited to business-contact information.
- Business associate agreement (BAA)
- Verillian does not receive, store, or process protected health information from your deployment, so under the self-hosted model a BAA may be unnecessary. For covered entities that require one, a BAA is available on request.
aligned, not certified; attestation status available on request
Availability, support, and incidents
Your control runs on your infrastructure, so most availability risk is removed by design. Support, updates, and incident handling are stated below.
- Your control does not depend on us
- Policy enforcement and audit capture run on your infrastructure with no Verillian service in the request path, so your control keeps working when Verillian does not. The status page explains why our availability does not affect your deployment.
- Support and service levels
- Support tiers, response targets, and update and patch commitments are defined in your agreement. We will share the current terms with your procurement team.
- Updates and patches
- Security updates are published for the sentinel and the admin server. You apply them on your schedule, on your own infrastructure.
- Security incidents
- Verillian notifies affected institutions without undue delay of a security incident affecting data Verillian holds. Because your deployment data stays with you, an incident on Verillian's side does not expose your prompts, responses, or audit chain. Researchers can report issues through the vulnerability disclosure page.
The deeper documents
The architecture and the full security model are documented for your team. A security questionnaire and the current service-provider and compliance-mapping detail are available on request.
- Architecture and data flow
- The data path from the device through the decision into the signed chain. Read the PDF.
- Trust and security overview
- How Verillian is designed for trust, in one document. Read the PDF.
- The full security model
- Six principles enforced by construction, and what operators get. See the security model.
- Compliance mappings
- The frameworks Verillian is designed to support, with control-by-control detail on request. See the mappings.
Hand it to your security team
We will provide the security questionnaire, service-provider detail mapped to your DPA, and the compliance detail your review needs.