Compliance is the architecture, not the afterthought. DEINO ships audit-grade defaults from day one — customer-owned LLM keys, signed audit manifests, sovereign deployment. Inspect the live posture before you ever book a call.
All traffic encrypted with TLS 1.3. HSTS enforced at the edge.
Live security posture · switch domain to inspect controls across Data, Identity, Deployment & Compliance.
Four deployment models, one platform. We don’t force our infrastructure on your regulator — choose the topology your compliance team can defend.
AWS multi-region — us-east-1, eu-west-1, sa-east-1. Fastest to value, audit-grade defaults from day one. The default for most customers.
GCP EU (europe-west1) or OCI LATAM (São Paulo). Your data residency, your cloud — we don’t force our infrastructure on your regulator.
Self-hosted on your own cluster. We ship the manifests; your infra runs them. The audit ledger never leaves your environment.
Fully offline install with local vLLM — no outbound calls, ever. In production hardening with defense-adjacent partners.
Six load-bearing controls — each one a decision the platform refuses to relax. Not a dashboard bolted onto a chatbot.
BYO Anthropic, OpenAI, Mistral, or local LLM keys. We never see them. Encrypted at rest with customer-managed KMS. Switch providers in 48h via the abstraction.
Every manifest cryptographically signed with your key. Tamper-evident. Verifiable years later. The audit trail belongs to you, not us.
TLS 1.3 in transit. AES-256 at rest. Field-level encryption for PII. Customer-managed keys on Enterprise. HSM-backed for Custom Axes.
Cryptographic signing per write. Optional on-prem ledger so audit history never leaves your environment.
SSO required (SAML / OIDC / Okta / Azure AD). SCIM provisioning. Role-based access control with an explicit matrix — no inheritance.
Backtest Forensics reconstructs any past decision, bit-for-bit. The auditor reproduces your rationale on their own infrastructure. No “trust us.”
No aspirational logos. The real status of every framework we map to — live today, in progress, or on the dated roadmap.
| Framework | Status | Detail |
|---|---|---|
| EU AI Act · Annex III | ✓ | High-risk controls implemented; manifest mapped to Annex III |
| BCRA AI principles | ✓ | LATAM Tier-2 bank deployments; sovereign LATAM cloud |
| GDPR · Article 28 | ✓ | Processor terms in standard DPA; 30-day sub-processor notice |
| SOC 2 Type I | ◐ | Targeted Q1 2027 · kickoff complete · CAIQ Lite on request |
| SOC 2 Type II | · | Targeted Q3 2027, following Type I attestation |
| ISO 27001 | · | 2027 roadmap, aligned to the SOC 2 control set |
Our complete sub-processor roster. Customers receive 30-day notice before any addition or change.
| Sub-processor | Purpose | Data categories | Location |
|---|---|---|---|
| Amazon Web Services | Primary cloud infrastructure | All | us-east-1 / eu-west-1 / sa-east-1 |
| Oracle Cloud Infrastructure | Sovereign LATAM deployment | All (LATAM customers) | São Paulo |
| Google Cloud Platform | EU sovereign deployment | All (EU customers) | europe-west1 |
| Cloudflare | Edge CDN, DDoS protection | Public traffic only | Global edge |
| Anthropic / OpenAI / Mistral | LLM providers (BYO keys) | Customer-controlled | Customer choice |
| Pipedrive / Salesforce | CRM | Sales contact data | EU / US |
| Customer.io | Lifecycle email | Email + product event data | US |
| Plausible Analytics | Privacy-friendly web analytics | Anonymized site traffic | EU (Germany) |
| Linear | Product issue tracking | Internal (no customer data) | US |
One email returns the complete documentation set. No NDA required for the first package; your security team reviews on their own timeline.
Found a vulnerability in DEINO? Responsible disclosure protects our customers — and we acknowledge contributors publicly.
security@deino.ai — encrypted via PGP key on request.
We acknowledge within 24 hours. Triage within 72 hours.
We commit not to pursue legal action against good-faith researchers following coordinated disclosure.
Cash rewards for high-severity issues. Public hall-of-fame for all valid reports.
The first audit where we handed over a reproducible decision changed the relationship — from defendant to evidence-provider. Six weeks became six hours.
Compliance Officer · LATAM Tier-2 Bank · name confidentialCAIQ Lite, architecture overview, DPA, sub-processor list, incident response, and continuity plan — the full packet, on request. Reviewed on their timeline, not ours.