What procurement reads first

Read this page. There is no portal.

Static editorial, not a Vanta-style portal. Six controls live, five sub-processors named (all EU-resident), and one URL that covers most security reviews.

Encrypt at rest. Hash on write. Scrub on ingest.

The CISO's first question is what's actually enforced. The matrix below is six controls live in production today plus one roadmap-honesty row. Encryption, hashing, scrubbing, access isolation — Adjudon enforces them on the same trace your agent just emitted, not on a periodic compliance scan.

  • LIVE
    Encryption at rest

    AES-256 across all customer data — traces, audit log, settings. Keys managed by MongoDB Atlas, rotated on the standard AWS schedule.

    MongoDB Atlas eu-central-1 · AWS-managed keys
  • LIVE
    Encryption in transit

    TLS 1.2+ on every endpoint. HTTPS enforced — plain HTTP is rejected at the API edge before any handler runs.

    Fly.io edge · Cloudflare CDN · HTTPS-only
  • LIVE
    Decision Hash Chain

    Append-only SHA-256 chain over every trace. The chain export is replay-verifiable offline against the published algorithm — no Adjudon login required at the auditor's end.

    GET /api/v1/hash-chain/export · gated hashChainAudit
  • LIVE
    Operations Audit Log

    Separate SHA-256 chain over admin events — policy changes, user invitations, key rotations. Read-side gated; admin or owner role required to verify or export.

    /api/audit · /api/audit/verify · /api/audit/export/pdf
  • LIVE
    PII scrubber

    Generic patterns (email, phone — incl. EU/intl formats, IBAN — incl. spaced 4-char-group form, credit-card, SSN) auto-scrubbed before storage and again before any output. Customers add domain-specific patterns; the default scrubber cannot be disabled.

    piiScrubber.scrubPayload() · runs on ingest + on output
  • LIVE
    Per-org isolation

    Every database query carries organizationId as a hard filter — Cardinal Rule #1, enforced in code review and middleware. No cross-org read path exists, including for super-admin endpoints.

    Cardinal Rule #1 · enforced at middleware + query layer
  • ROADMAP
    SOC 2 Type II · ISO 27001 · Pen-test

    None published today. Roadmap commitment without timeline — listed here because procurement always asks, and we'd rather you hear it before the call than during it.

    no certification yet · cryptography carries today

Frankfurt. One region. No exceptions.

Every customer trace, audit log entry, and configuration document lives in MongoDB Atlas Frankfurt (eu-central-1). The Confidence Engine's third pillar — embedding generation over inputContext and triggeringCondition — runs on a self-hosted TEI (Text Embeddings Inference) sidecar in the same Frankfurt Fly.io region. As of 2026-05-11, OpenAI L.L.C. has been removed from the sub-processor list and the contractual relationship terminated.

Single region · all customer data at restFrankfurt
eu-central-1
  • MongoDB Atlas — Frankfurt eu-central-1 (primary)
  • Fly.io — Frankfurt (API server + TEI embedding sidecar)
  • Cloudflare — EU edge (dashboard + docs)
  • Stripe — Ireland (billing)
  • Resend — EU (transactional email)

Three of five. Full list in docs.

The three sub-processors a CISO opens first — primary database, runtime, and the billing rail. Two more (Cloudflare EU edge and Resend EU for transactional email) live in the data-residency map at docs.adjudon.com. The DORA Article 30 register copies straight from there.

  • MongoDB Atlas
    Frankfurt eu-central-1

    All trace data, audit logs, configurations — the primary database, encrypted at rest with AES-256.

  • Fly.io
    Frankfurt

    API server runtime + TEI embedding sidecar — Express.js handlers, the trace-ingestion pipeline, and the per-org policy + audit-log enforcement, plus the in-region embedding compute that replaced OpenAI on 2026-05-11.

  • Stripe Payments Europe Ltd.
    Dublin, Ireland (EU)

    Billing rail only — subscription management, invoices, and metered usage. Billing data only; no customer trace data ever leaves Frankfurt for Stripe.

Read the full 6-row list at docs.adjudon.com →
Service Level Agreement

Four numbers in the contract.

We publish the SLA in the master subscription agreement. The numbers below are the contractual floor — Adjudon currently operates well above each threshold, and the Status Page shows the live record.

Scale & Governance

99.9% uptime

Calculated monthly, excluding scheduled maintenance windows announced ≥48h in advance. Service credits per the master subscription agreement when the threshold is breached — customer claims raised via support, settled in writing.

Enterprise & Custom

99.99% uptime

Roadmap target — not yet contractually committed. Activated when the customer's traffic is replicated across two Frankfurt availability zones (multi-AZ-redundant).

Trace ingestion

p95 < 25ms

Monthly p95 across the hot path: confidence scoring, policy evaluation, audit log write, webhook dispatch queue. Outside this envelope, the SDK's fail-open contract returns pass-through to the customer agent.

Support response

1h / 4h / 1bd

Sev-1 response 1h, Sev-2 response 4h, Sev-3 response 1 business day. Sev-1 = production outage; Sev-2 = degraded non-blocking; Sev-3 = question or feature request.

Most VSAs end here. The rest, by call.

Most security questionnaires can be answered with the matrix above and the data-residency map at docs.adjudon.com — encryption layers, sub-processors, certification status. What's left is the conversation: pen-test plans, custom SCC asks, the field your VSA doesn't have a checkbox for. The engineer who wrote the chain takes the call.

Read the data-residency map30-min engineering call