Security
Your memory. Your infrastructure. Your control.
Sentinel handles the data that describes how your plant runs — machine events, maintenance history, the structured knowledge of your operation. That demands sovereign intelligence infrastructure, governed and auditable, not a black box you have to take on trust. This is how we hold it, where it lives, and who is allowed to change it.
The machine proposes. The human authorises. The system remembers. The institution improves.
Data sovereignty
The memory is yours, and it stays where you operate.
Operational memory is too valuable — and too sensitive — to treat as someone else’s asset in someone else’s jurisdiction. The defaults below are not upgrades. They are how the platform works.
UK and EU data residency
Your operational data is stored in the UK and the EU — not shipped across borders to wherever capacity is cheapest. Sentinel data sits in London (AWS eu-west-2), under UK GDPR jurisdiction, so the records that describe your plant stay in the jurisdiction you operate in.
You own your operational memory
The asset register, the fault history, the structured knowledge Sentinel builds — it is yours. It is exportable, it leaves with you if you leave, and it is never sold, syndicated, or pooled with other operators. We hold it on your behalf; we do not own it.
No training on your data without consent
We do not feed your operational data into model training. Inference calls that draft a brief or a finding are scoped, pseudonymised where possible, and governed by data processing agreements — and your records are never used to improve a shared model without your explicit, written consent.
Tenant isolation by default
Every organisation is a sealed tenant. Row-level security is enforced at the database, not bolted on in application code, so one client can never read another client’s data — even by accident, even under a bug.
Governance & human-in-the-loop
The machine drafts. A person authorises. The record remembers both.
Governed intelligence means a human is structurally in command of every change to a system of record. Nothing is written autonomously, and nothing happens that you cannot later account for.
No autonomous writes
Sentinel does not write to SAP, your CMMS, or any system of record on its own. The machine proposes a draft; nothing reaches a system of record until a competent human has authorised it. There is no silent action.
Every write is reviewed and attributable
AI outputs land in an approval queue, in review by default. A named person reviews each one, and every memory write carries who approved it and when. Accountability is recorded, not assumed.
Human-in-the-loop, by design
Authorisation is a structural step in the workflow, not an optional setting an administrator can switch off. Agent runs are scheduled and logged, and their outputs wait for review — the human is in the loop because the system has no path around them.
A full, immutable audit trail
Data imports, agent runs, draft generation, approval decisions, and integration syncs are written to a tenant-isolated audit log. You can reconstruct what happened, who decided it, and what changed — long after the event.
Practices
Practical controls, stated honestly.
What follows is what we actually do — not a wishlist and not a badge wall. Where we align to a standard, we say aligned. We do not claim certifications we cannot evidence.
Encryption in transit and at rest
TLS 1.2 or higher on every connection, with HTTPS enforced across all Virtus Nemeton domains. Data at rest is encrypted with AES-256 on managed storage. Integration secrets and API keys are stored encrypted and referenced by pointer, never in plaintext.
Least-privilege access
Access follows role inside each organisation, and service credentials are scoped to the minimum permissions a task requires. Sessions use signed cookies with configurable expiry. People and systems get what they need to do the job, and no more.
Row-level security on tenant data
Tenant isolation is enforced by row-level security at the database layer, so the boundary holds even if application code has a flaw. Database access uses parameterised queries through a typed client, and input is validated at every API boundary.
Hardened delivery and headers
Security headers are applied across the platform, code is reviewed before it reaches production, and dependencies are audited for known vulnerabilities. Secrets never enter version control — they live in a managed vault. We align our practices to UK GDPR and recognised security standards rather than claim certifications we have not earned.
In the event of a security incident affecting personal data, we notify affected customers and the Information Commissioner’s Office (ICO registration ZC161313) within 72 hours where required under UK GDPR. Our incident response procedure and security documentation are available to customers on request.
Review our security posture.
If you run a security, risk, or procurement review, talk to us directly. We will walk you through data residency, the human-in-the-loop controls, and our practices — and share the documentation your process needs.