§ Security & Trust OverviewDocument · REG-SEC-2026.07 · v1.0Prepared for enterprise security review

A security document you can trust.

This overview describes how Regisseur is designed, deployed, and operated, so a security team can assess it against their own controls. It is written to be accurate rather than aspirational — where a control is in place we say so, and where something is a shared responsibility or on our roadmap rather than shipped today, we say that too.

DeploymentOn-premise · single-tenant
AI modelBring your own key & account
EgressLocked down · air-gap capable
SecretsAES-256-GCM envelope
AuditAppend-only event ledger
Contactross@regisseur.ai
§ 01 — Executive summary

Eight principles the posture rests on.

Regisseur runs structured, auditable workflows with AI agents kept on a short, deterministic leash. It is built for regulated industries — insurance underwriting, energy, and similar domains where every action must be attributable and every decision reviewable.

01

It runs in your environment.

Deployed on-premise as a single-tenant stack. Your case data, documents, and audit trail live in a database you control — there is no shared multi-tenant cloud that mixes your data with another customer’s.

02

Your AI, your keys, your account.

Every language-model call is made against your provider account under your commercial terms. Regisseur operates no shared inference endpoint and keeps no copy of your prompts, documents, or completions outside your deployment.

03

Isolation is enforced in depth.

Row-level security is enabled on every table, tenancy is derived on the server (never trusted from the browser), and credentials are scoped so one workspace’s configuration cannot be used by another.

04

Secrets are encrypted with a key you hold.

Credentials are protected with AES-256-GCM envelope encryption under a master key that is never written to the database. The secret layer is pluggable to HashiCorp Vault, Azure Key Vault, or a customer-managed key.

05

Outbound access is locked down.

The deployment actively blocks egress to vendor clouds at the network layer and refuses to start against any hosted database. It is capable of running fully air-gapped.

06

Releases and licenses are verifiable.

Container images and license files are signed and verified offline, and each installation is cryptographically bound so a license cannot be copied to a second stack.

07

Everything is on the record.

Every action — a node activating, an agent completing, a person approving, an external party opening a link — is written to an append-only, tamper-evident event ledger with full lineage, and can be exported for audit.

08

The AI is governed, not free-roaming.

Agents run a deterministic pipeline, may only call an explicit allowlist of tools, produce schema-validated output, and can be halted instantly. Personal and protected health information can be one-way masked at the point of storage.

§ 02Deployment & tenancy

One tenant. Your environment. Nowhere else.

Regisseur is delivered as a self-contained stack — application, PostgreSQL database, authentication service, and API gateway — that you run inside your own infrastructure. Each customer stack serves exactly one tenant. There is no multi-tenant SaaS surface where customers share a database or an application instance.

A stack provisions itself into a single workspace on first run and then refuses to create a second one; workspace setup is reachable only through an internal, secret-gated path, so a stack cannot be turned into a multi-tenant host after the fact. For customers running several stacks, an optional operator console can sit above them for status and coordination — it reaches each stack only through that stack’s authenticated status API, never touching your database directly.

Tenancy
Single-tenant, one workspace per stack
Delivery
Self-contained on-premise stack
First-run binding
Refuses a second workspace
Operator console
Read-only · status API only

Your data never traverses a Regisseur-operated service. The blast radius of any issue is one tenant, in your environment, under your network and identity controls.

§ 03Data protection & encryption

Encrypted under a master key we never hold.

Row-level security is enabled on every application table. Access is scoped by workspace membership that the server resolves from the session — the browser never asserts which records it may see, and object references in URLs are resolved through the same membership-scoped query, which prevents an authenticated user from reaching another tenant’s records by guessing an identifier.

Credentials are protected with a two-layer envelope scheme. A 32-byte master key is supplied at startup from your environment or secret store and is never stored in the database; each credential is encrypted under a unique per-credential data key, itself stored only in encrypted form under the master key, with AES-256-GCM and a random per-record initialization vector. Resolved secrets are cached in memory only briefly, and are never written to logs, returned in an API response, or persisted in clear text.

Row-level security
Every table · server-derived tenancy
Cipher
AES-256-GCM · random IV per record
Master key
Never stored in the database
Key management
PostgreSQL · Vault · Azure Key Vault

The default backend keeps encrypted secrets in your PostgreSQL database; the same interface drives HashiCorp Vault and Azure Key Vault for customers who want secrets held in an external KMS. In air-gapped mode the platform restricts itself to the local encrypted backend automatically. The stack ships with a gateway that can terminate TLS and is designed to sit behind your TLS-terminating edge, so transport encryption is enforced under your existing certificate and cipher policy.

§ 04Identity, authentication & access

Four ways in. No others.

Regisseur integrates with your identity provider over standard SAML 2.0 and OIDC, so multi-factor authentication is enforced by your IdP policy and authentication strength stays under your control. Even with SSO, access is not automatic: a user must hold a pending invitation before an account is provisioned, and just-in-time provisioning then maps them to one of four roles — technician, member, admin, and owner — with authorization checked on the server at each protected route.

Every request into the platform authenticates through one of four well-defined mechanisms, and no others. External and machine callers are never issued a user session token; each path carries only the privilege it needs.

01
User sessions
The application UI, backed by your identity provider.
02
Service tokens
Machine-to-machine access. Shown once, stored only as a SHA-256 hash, scoped to a workspace and capability set, independently revocable.
03
Internal service credential
The platform’s own background workers — compared in constant time to resist timing attacks.
04
Signed webhooks
Inbound messaging, verified by cryptographic signature. Unsigned or invalid requests are rejected outright.
§ 05AI & model data handling

The model is one constrained step — never the controller.

This is where Regisseur differs most from a typical AI product, and it is usually a CISO’s first question.

Bring your own model, key, and account

You configure Regisseur with your own provider — Azure OpenAI, AWS Bedrock, Google Vertex, or Anthropic through a private gateway — using your credentials in the encrypted secret layer. The platform reads no model keys from environment variables; a build-time check fails the release if any provider key is read that way. Because every inference call runs against your account under your agreement, retention and training policy is governed by your contract with that provider, not by us.

An agent is not a free-form model prompt. It executes a fixed, typed pipeline where the language model is one constrained step, not the controller, and its output is schema-validated before it is used.

1Read
2Transform
3Call approved tool
4Evaluate
5Reason (model)
6Write
Deny-by-default tools

When an agent may call external tools, both the tool server and the individual tool must appear on its explicit allowlist. An empty allowlist permits nothing, and every rejected call is recorded as an audit event.

Protected data masking

A per-workspace masking option — off by default, enabled only by an administrator — replaces configured fields with a one-way hash at the point of persistence, so the underlying value is never written to storage. Agent definitions can carry compliance markers (HIPAA, Medicare, legal-privilege) that gate additional verification.

RoadmapAgent behaviour is exercised by an evaluation harness that produces tamper-evident drift certificates. We use this to detect regressions in agent quality — it is not a substitute for a formal AI-governance attestation, which is on our roadmap (see §11).

§ 06Network & egress control

Built to not phone home — and to prove it.

It refuses hosted databases

Pointed at any hosted database endpoint, the application fails to start rather than silently connecting out.

It blocks egress at the network layer

An initialization step installs outbound reject rules for vendor cloud domains before the application starts. Only endpoints you explicitly allow are reachable.

It is checked in the build

A CI gate scans the codebase on every change for any hosted-database reference and fails the build if one appears, so the guarantee cannot regress unnoticed.

The result is a deployment that can run fully air-gapped by default, with a demonstrable, tested outbound posture rather than a promise. Optional collaboration channels (for example Microsoft Teams) are off by default and opt-in per workspace. When you enable one, you keep your core private with a relay pattern: a small, hardened component you host in your own cloud tenant is the only public entry point — it verifies each provider-signed message and forwards it inward over private connectivity you control (VPN, private link, or a dedicated circuit). Your Regisseur core is never directly exposed, and the channel can be turned off instantly.

§ 07Supply-chain & artifact integrity

Signed. Offline-verified. Installation-bound.

Container images and license files are signed with Sigstore cosign and verified offline against a bundled public key — verification makes no network call and depends on no external transparency service, so it works in an air-gapped install. The signing toolchain is pinned to a specific version with a checksum and built into the image rather than fetched at runtime.

Each license is cryptographically bound to the specific installation through a fingerprint derived from stable installation secrets. Copying a license to a different stack fails verification, and cloning an entire stack reproduces the same workspace rather than minting a new licensable one. Every change also runs an automated secret scan (verified secrets only) and a dependency vulnerability audit for high and critical advisories.

Not yet shippedA formal software bill of materials (SBOM) is on our roadmap.

§ 08Auditability & observability

In regulated operations, the record is the deliverable.

Regisseur treats the audit trail as a first-class product surface. Every meaningful action writes an immutable row to an append-only event ledger — node activations, agent completions, human decisions, recoveries, errors, and communications. Rows are never updated or deleted.

Immutable output
Attributed to the exact agent version
End-to-end lineage
Human-origin trace id propagates downstream
Precise actors
Person · agent · model · system · integration · external
Versioned definitions
In-flight cases pinned to their start version
Audit export
Full event stream as JSON
Error tracking
Off by default · your project · no auto PII

External parties are first-class records, not free-text metadata, and because a case is pinned to the exact version it started under, a later change never rewrites the history of a case already in progress.

§ 09Secure development lifecycle

Enforced by automation, not by convention.

Every push and pull request runs a release gate that includes:

  • Static architectural guards that fail the build if core code crosses an isolation boundary, a public route imports a privileged database client, or a hosted-database reference is introduced.
  • A model-key scan that fails the build if any language-model provider key is read from the environment.
  • Type checking, linting, and a production build.
  • A test suite with enforced coverage thresholds across the security-relevant core.
  • Secret scanning (verified secrets only) and a dependency vulnerability audit for high and critical advisories.
  • An API-route security inventory that classifies every endpoint by its authentication mechanism and fails the build if a route is left unclassified or the inventory drifts.

Fast versions of the isolation and key-scan checks also run locally before every commit, so violations are caught before they ever reach the shared branch.

§ 10Emergency controls & resilience

One control stops everything — without losing state.

A single control halts all agent execution and background processing for a workspace without losing state: every queued task checks the halt flag before running. This is the primary “stop everything now” mechanism for an incident, and it preserves in-flight work so operations resume cleanly.

Because the workflow engine is event-driven and every step is recorded, a halted or interrupted case can be resumed from its last recorded state rather than restarted.

§ 11Compliance posture & certifications

We are direct about this, because CISOs check it first.

In place today
  • Single-tenant isolation
  • Encryption at rest with envelope keys
  • Enforced access control & RBAC
  • SSO with your MFA policy
  • Immutable, exportable audit trail
  • Deny-by-default tool access
  • Network egress lockdown
  • Signed & verified releases
  • One-way masking for protected data

Our internal control environment is organized around the SOC 2 Trust Services Criteria.

Not yet held
  • SOC 2 Type II audit
  • Formal HIPAA attestation
  • Independent third-party penetration test

We would rather state this plainly than imply a certification we do not have.

On the roadmap
  • SOC 2 Type II attestation
  • Independent penetration test, with a shareable summary
  • A published software bill of materials (SBOM)
  • Formal AI-governance (NIST AI RMF) alignment

Because Regisseur runs on-premise with your identity provider, your model provider account, and your keys, many controls a SaaS vendor would need to attest to are satisfied by your existing, already-audited infrastructure. For PHI workloads in particular, the platform is typically deployed so that Regisseur the vendor has no standing access to your data; the scope of any Business Associate Agreement should be assessed against your specific deployment.

§ 12Shared-responsibility model

Because it runs in your environment, security is a partnership.

AreaRegisseur providesYou own
Physical & network perimeterHardened, single-tenant deploymentData centre / cloud account, VPC, firewalls
Host, OS & container patchingSigned, versioned imagesRunning and patching host and runtime
Edge TLS & certificatesA gateway that can terminate TLSCertificate policy and termination at your edge
Identity & MFASAML/OIDC, RBAC, invitation gatingYour IdP, MFA policy, and user lifecycle
Model provider & AI spendBYO-provider integration, deterministic pipelineYour provider account, keys, and contract
Master encryption keyEnvelope encryption; key never stored in DBCustody and rotation of the master key
Application securityAuthz, RLS, audit, encryption, egress lockdownReviewing and accepting the deployment
Secure SDLC & releasesSigned releases, CI security gatesVerifying signatures on what you deploy
Data classification & retentionMasking, audit export, retention toolingClassification, retention, and legal-hold policy
Backup & disaster recoveryA single, self-contained database to back upBackup, restore, and DR of your infrastructure
Incident responseEmergency halt, immutable forensics trailYour IR process; we support investigation
§ 13Getting the detail you need

This answers a first pass. For a deeper engagement, under NDA:

01 An architecture walkthrough with your security team.
02 A live demonstration of the audit trail, egress lockdown, and access controls.
03 Our internal controls mapping against your framework or questionnaire (SIG, CAIQ, or your own).
04 A written response to your vendor-risk assessment.
§ Next step

Start the security conversation.

We would rather earn a longer first conversation than a short one. Reach out and we will set up an architecture walkthrough, a live controls demonstration, or a written response to your vendor-risk assessment.

Contact security & trust Security & compliance controls
Contact
ross@regisseur.ai
Document
REG-SEC-2026.07 · v1.0
Scope
Platform as built · July 2026
Detail
Under NDA where appropriate

This document describes the Regisseur platform as of July 2026 and is provided for security evaluation. Statements about controls reflect the platform as built; items identified as roadmap are not represented as currently available.