Trust Center
Built to pass your security review.
Everything your security and procurement teams need to evaluate Calliope AI — in one place. The short version: Calliope AI runs inside your own cloud, so your data never enters ours. You're not inheriting our security posture — you're keeping your own.
The model
Your perimeter is your compliance boundary.
Most AI vendors ask you to send your data to their cloud, then ask you to trust their controls. That's the question your security team can never get comfortable with — and the reason most AI tools die in review.
Calliope AI inverts it. The whole platform deploys inside your own cloud account, network and region. Your code, prompts and data never leave the SOC 2 / HIPAA boundary you already operate. So the answer to "where does our data go?" is "nowhere it doesn't already go."
- No data egress — nothing is sent to Calliope AI to run. Compute and storage stay in your account.
- Single-tenant — your deployment is yours alone. No shared infrastructure, no other tenant to be separated from.
- Your keys, your models — bring your own model provider keys, or run fully local. We never see them.
- Your controls apply — your IAM, your VPC, your logging, your existing audits. You don't adopt ours; you extend yours.
Compliance status
Where each framework stands — honestly.
Because Calliope AI runs inside your boundary, your existing certifications cover the data. Separately, we map our own controls to the frameworks your auditors care about, and are pursuing formal attestations. No overstatement — here's exactly where each one is:
| Framework | Status | What it means for you |
|---|---|---|
| SOC 2 Type II | In progress | Attestation covering security, availability & confidentiality; audit underway. Controls operating today; report on completion. |
| HIPAA | In progress · BAA on request | Deploys inside your HIPAA boundary, so PHI never leaves it — a HIPAA-obligated team can run it without Calliope holding the cert. BAA available. |
| GDPR | Aligned | DPA available; in-region / EU deployment options for data-residency requirements. |
| EU AI Act & NIST AI RMF | Mapped | Governance controls (Zentinelle) map to the AI-specific obligations — logging, attribution, policy enforcement, evidence. |
| ISO 27001 | Roadmap | Planned; controls already align to the Annex A domains. |
| PCI DSS | Roadmap | Not currently certified; deployable inside your PCI-scoped environment under your controls. |
| FedRAMP | Evaluating | On-prem / air-gapped / GovCloud deployment available today for public-sector isolation requirements. |
Data protection
How your data is protected.
Encrypted, in your account
Encrypted in transit and at rest, in storage you own. Your data is yours to delete on your schedule.
Data protection →Defense in depth
Isolated workspaces, scoped access, network controls — one compromised layer never escalates to your data.
Architecture →Every action logged
Zentinelle attributes and logs every prompt, tool call and data access — your audit trail, exportable to your SIEM.
Audit & evidence →Policy enforced in real time
24 policy controls — models, tools, budgets, PII — enforced before an action runs, not flagged after.
Policies →Your infrastructure
BYOC, VPC peering, on-premise or air-gapped. Your IAM, your region, your network boundary.
Deployment →Secrets stay yours
Bring your own model keys; they live in your environment. Calliope AI never holds your credentials.
Secrets →Document packet
The documents your reviewers will ask for.
Public documents are linked below. For a security questionnaire, SOC 2 progress letter, BAA, architecture diagrams or pen-test summary, request the full packet and we'll turn it around fast.
Data Processing Agreement
How data is handled and processed.
Subprocessors
The third parties in the chain.
Privacy Policy
What we collect and why.
Security Architecture
Defense-in-depth and isolation.
Compliance Status
Framework-by-framework, honest.
Acceptable Use Policy
The rules of the road.
Terms of Service
The commercial terms.
EULA
End-user license terms.
Open-Source Notices
Open-core: the Astrolift & Zentinelle core is MIT.
Bring us into your security review.
Send us your questionnaire, or book a call with someone who can answer it. We've been the skeptical security team — we know what you need to greenlight this.

