Built for the buyers who ask the hardest questions.
Pharma security teams have approved Sciento on the first review three times. Here is everything they looked at.
SOC 2 Type I
Issued 2026-03. Type II in progress.
ISO 27001
Audit scheduled Q3 2026.
HIPAA
BAA available on Enterprise.
GDPR / EU SCC
DPA + SCCs available on request.
EU AI Act
Conformity package available.
ISO 42001
AI management. Audit Q4 2026.
Isolation at every layer.
Tenant isolation
Per-tenant Postgres schemas with row-level security. Per-tenant KMS keys. BYOK on Enterprise.
Permission-aware retrieval
Every retrieved chunk is re-authorised at query time. No agent can read what its user cannot.
Prompt-injection defense
Input sanitisation, tool allowlists, output validators, untrusted-content tagging.
Immutable audit log
Every action append-only, exportable to your SIEM in real time.
Encryption
TLS 1.3 in transit. AES-256 at rest. Field-level encryption for PII / PHI.
Secret management
HashiCorp Vault. No secrets in env files. Quarterly rotation.
Deployment options
Multi-tenant SaaS · VPC · BYOC · on-prem · air-gapped.
Data residency
us-east-1, us-west-2, eu-west-1 today. UK, JP, AU on request.
Model training
Your data is never used to train shared models. Period. Fine-tunes stay yours.
The agent can't do what it isn't allowed to.
Two-person rule
For configurable categories of action (irreversible writes, financial commits, regulated submissions).
Budget caps
Per workflow, per user, per workspace. Hard stop, not a notification.
Verifier independence
The verifier model is a different family from the executor. Catches the failure modes the executor is structurally bad at.
Abstention
When confidence drops below threshold, Sciento says so — and queues for a human.
Responsible disclosure
We run a bug bounty via HackerOne. Critical findings paid up to $25,000. Encrypt sensitive reports with our PGP key (fingerprint F2C0 0F22 1A1A 9988 D7E3 0B0B).
Email: security@sciento.ai. We acknowledge within 24h.