StreetMP OS governance commitments are enforced at the infrastructure level — not by policy configuration. This page documents how we protect your organization's AI operations.
How we protect your data at every layer of the stack.
StreetMP OS never stores the content of AI prompts. The governance engine intercepts, scans, and sanitizes data in memory. Only cryptographic audit receipts (SHA-256 hash + verdict + entity metadata) are persisted to the audit ledger — never the raw text. This is an architectural guarantee, not a configurable policy.
All data at rest is encrypted using AES-256-GCM with per-tenant encryption keys managed via a dedicated key service. Data in transit uses TLS 1.3 exclusively. The NeMo CLAW scanning engine operates on ephemeral memory — no disk writes during the scan pipeline. Encryption keys are rotated on a 90-day schedule.
StreetMP OS supports regional data residency for India (ap-south-1 Mumbai), Singapore (ap-southeast-1), and Malaysia (ap-southeast-3). No personally identifiable data crosses regional boundaries. APAC enterprise customers can enforce strict data localization — all governance processing occurs within the customer's selected region.
The Sovereign Shield browser extension operates as a transparent proxy — it intercepts AI submissions before they reach the provider, applies governance rules, and forwards the sanitized version. The extension does not log browsing history, page content, or any data outside the AI submission flow. Extension source is available for security review under NDA.
Every API call, dashboard request, and governance action is tenant-isolated at the database level using Row Level Security. There is no shared query path between tenants. Role-Based Access Control enforces OWNER / ADMIN / ANALYST / AUDITOR / MEMBER permissions with cryptographically signed session tokens. MFA is enforced for all admin roles.
Every governance event — scan verdict, policy change, kill switch toggle, compliance export — is written to an append-only audit ledger with HMAC-SHA256 chaining. The chain ensures retroactive tampering is detectable. Audit logs can be exported in JSON or CSV format, signed with a timestamp authority certificate, for use in external audits.
Regulatory alignment across global and APAC markets.
Security, Availability, Confidentiality controls documented and evidence-exportable.
Information Security Management System alignment with controls mapping available.
Lawful basis documentation, data subject rights, DPA templates available on request.
India Digital Personal Data Protection Act — zero cross-border transfer by default.
Monetary Authority of Singapore Technology Risk Management alignment complete.
Full PDPA (Malaysia) and PDPA (Singapore) alignment with data localization options.
Healthcare data safeguard controls — BAA available for healthcare enterprise customers.
No certifications are claimed until formally issued. Status reflects current control completion and audit readiness.
Choose the deployment architecture that matches your security requirements.
Fully managed. Zero infrastructure. SOC2-compliant shared environment with strict tenant isolation.
Dedicated compute in your cloud account (AWS / GCP / Azure). All governance data stays in your VPC.
Full self-hosted deployment on your infrastructure. Air-gapped environments supported. Suitable for regulated industries.
Scanning engine on-premise, audit ledger and dashboard cloud-hosted. Common in BFSI and healthcare deployments.
Answers to common questions from enterprise security teams.
Request a technical security briefing, architecture walkthrough, or compliance evidence package.