Sovereign by design.
Nothing leaves the boundary.

When your evidence is sensitive, the first question isn't “is it accurate” — it's “where does it go”. In CyberSentien, the answer is: nowhere. This page states exactly what that means, and exactly where the edges are.

Talk sovereignty with us →

The four commitments

🇦🇺 Australian-owned hosting

Paying clients run on Australian-sovereign infrastructure with Australian-owned hosting providers — the AI GPU included. Sovereign-tier clients get a dedicated, in-boundary deployment: bank-hosted or on-prem, where evidence never leaves their control.

🧠 Local AI — no third-party AI API

The AI that assists assessment runs locally, inside the boundary. There is no OpenAI, no Anthropic, no cloud AI API in the loop — not for your evidence, and not even for the record that AI was used. If the local model is unavailable, AI answers fail closed rather than fall back to a cloud.

🗑 No data retention

Demo and report runs keep nothing: the report is yours, we don't store it — only its SHA-256 integrity hash is anchored so it can be verified later. The one thing we do retain is what you send us through the contact form, stored on Australian infrastructure and used only to reply to you.

🔐 Tamper-evident lineage

Every report carries a validation run id and a SHA-256 integrity anchor chained into an append-only ledger. Change one character after issue and the chain breaks — so an auditor can prove a report is exactly what was issued.

The honest edge

Sovereignty claims deserve precision, so here is ours, stated plainly.

This website is static

The page you're reading was generated from the engine's catalogue data at build time and is served as plain files. The engine itself never runs in the public serving path — there is nothing here to breach.

The CDN boundary

If a global CDN fronts this marketing site, it fronts the static marketing edge ONLY: no customer evidence, no engine traffic and no assessment data ever transits it. Lead-form submissions can be routed to an Australian-terminated endpoint that bypasses the CDN entirely. We'd rather state the boundary than pretend it isn't there.

No trackers, no external assets

No analytics scripts, no external fonts, no CDN JavaScript. Every byte this site serves is self-hosted — you can verify that in your browser's network panel right now.

Certifications — stated as roadmap, never claimed

ROADMAP · IRAP assessment of our own hosting

We build to ISM-aligned practice and assess ourselves with our own engine, but our hosting has not undergone an IRAP assessment. It's on the roadmap; until it's done, you won't see the claim here.

ROADMAP · ISO/IEC 27001 certification

Our ISMS practices track ISO/IEC 27001, and certification of CyberSentien itself is a roadmap item — not a current claim. We hold the same line we hold for your controls: no evidence, no green.

ROADMAP · SOC 2 attestation

A SOC 2 Type II attestation for the hosted service is planned. Until an independent auditor signs it, it stays on this roadmap list.

Why say this at all? Because a compliance vendor that overstates its own compliance can't be trusted to grade yours. No false green — including about ourselves.

Put the sovereignty story in front of procurement

Run the gated demo, verify the sealed report, inspect the network panel. Then let's talk about your boundary.

Open the gated demo →Contact us →