When your evidence is sensitive, the first question isn't “is it accurate” — it's “where does it go”. In CyberSentien, the answer is: nowhere. This page states exactly what that means, and exactly where the edges are.
Talk sovereignty with us →Paying clients run on Australian-sovereign infrastructure with Australian-owned hosting providers — the AI GPU included. Sovereign-tier clients get a dedicated, in-boundary deployment: bank-hosted or on-prem, where evidence never leaves their control.
The AI that assists assessment runs locally, inside the boundary. There is no OpenAI, no Anthropic, no cloud AI API in the loop — not for your evidence, and not even for the record that AI was used. If the local model is unavailable, AI answers fail closed rather than fall back to a cloud.
Demo and report runs keep nothing: the report is yours, we don't store it — only its SHA-256 integrity hash is anchored so it can be verified later. The one thing we do retain is what you send us through the contact form, stored on Australian infrastructure and used only to reply to you.
Every report carries a validation run id and a SHA-256 integrity anchor chained into an append-only ledger. Change one character after issue and the chain breaks — so an auditor can prove a report is exactly what was issued.
The page you're reading was generated from the engine's catalogue data at build time and is served as plain files. The engine itself never runs in the public serving path — there is nothing here to breach.
If a global CDN fronts this marketing site, it fronts the static marketing edge ONLY: no customer evidence, no engine traffic and no assessment data ever transits it. Lead-form submissions can be routed to an Australian-terminated endpoint that bypasses the CDN entirely. We'd rather state the boundary than pretend it isn't there.
No analytics scripts, no external fonts, no CDN JavaScript. Every byte this site serves is self-hosted — you can verify that in your browser's network panel right now.
We build to ISM-aligned practice and assess ourselves with our own engine, but our hosting has not undergone an IRAP assessment. It's on the roadmap; until it's done, you won't see the claim here.
Our ISMS practices track ISO/IEC 27001, and certification of CyberSentien itself is a roadmap item — not a current claim. We hold the same line we hold for your controls: no evidence, no green.
A SOC 2 Type II attestation for the hosted service is planned. Until an independent auditor signs it, it stays on this roadmap list.
Why say this at all? Because a compliance vendor that overstates its own compliance can't be trusted to grade yours. No false green — including about ourselves.
Run the gated demo, verify the sealed report, inspect the network panel. Then let's talk about your boundary.