Factual posture for compliance officers and procurement. What is implemented, what is in progress, and what depends on your deployment tier.
Data inspected for redaction stays on the appliance. Sanitised prompts go to your chosen LLM provider — local models on the box, Trinito-managed cloud, or public APIs under your own keys. Audit logs stay on the appliance and are exportable on demand; they do not leave unless you choose to export them.
All secrets stored on the appliance are encrypted at rest using libsodium secret-box with a per-appliance master key (held in /etc/trinito/master.key, mode 0400, root-only). All inter-component traffic uses TLS 1.3. The Trinito Gateway — if you use our managed cloud route — uses mTLS plus per-appliance JWTs.
Every prompt, every redaction, and every send is recorded in an append-only, hash-chained audit log on the appliance. Each entry includes a cryptographic link to the previous row; altering history breaks the chain and is detectable on export. The database enforces append-only behaviour via a trigger, so even root cannot silently rewrite past entries without breaking the chain. Compliance teams can export the last 90 days as a signed CSV.
We are committed to annual penetration testing by a CREST-accredited firm once we have an active customer base. We have not yet completed our first third-party engagement; the first test is planned after the first production deployment. Summary reports will be available under NDA to enterprise prospects on request.
Report security issues to security@trinito.com. Full disclosure policy, response targets, and our PGP public key are published at /security/disclosure. We aim to acknowledge reports within one working day.
The list below is complete for Trinito-operated services. If you use bring-your-own keys, the appliance talks directly to your chosen provider under your contract — we are not in that data path.
| Processor | Purpose | When it applies |
|---|---|---|
| Hetzner Cloud (EU) | Trinito Gateway control plane and managed-cloud routing infrastructure | When using Trinito-managed cloud |
| Ollama Cloud | Managed LLM hosting (resold) | When routing via Trinito-managed cloud |
| OpenAI | ChatGPT models | Managed cloud route only; otherwise direct from appliance under your keys |
| Anthropic | Claude models | Managed cloud route only; otherwise direct from appliance under your keys |
| Gemini models | Managed cloud route only; otherwise direct from appliance under your keys |
We maintain an incident response process for security and availability events affecting customer appliances or Trinito-operated infrastructure. Critical incidents (customer-visible degradation or suspected data exposure): acknowledgement within one hour during UK business hours, or within four hours outside them for Sovereign support customers. High severity (single appliance or service affected, no confirmed exposure): four-hour acknowledgement. Medium and low: next UK working day. We provide weekly written updates until resolution for confirmed security incidents.
We will answer your questionnaire with sourced, dated responses — or walk through the Sovereign air-gap deployment on a call.