Security-First Architecture

Enterprise-grade security & trust

Every claim on this page is mechanism-based, not marketing. We explain exactly how each security control works so you can verify it with your security team.

S2T offers consulting-led engagements and ATP-accelerated engagements. When ATP is used, the controls below apply. In all cases, humans remain in control, and your environment remains sovereign.

A

Least privilege by design

ATP requires the minimum access necessary to perform assessment functions. No admin access, no elevated privileges, no exceptions.

No Admin Access Required

Enforced

ATP connectors are designed to operate with read-only, standard user permissions. We explicitly do not request or accept admin credentials.

  • Database connectors use SELECT-only permissions
  • API connectors use read-only OAuth scopes
  • File system access is read-only, scoped to specific directories
  • No service accounts with elevated privileges
How it works

During connector setup, ATP validates that provided credentials have minimum required permissions. If admin-level access is detected, setup is blocked with an explicit warning.

System-Specific Permission Minimization

Enforced

Each system type has a documented minimum permission set. We publish these requirements so your security team can pre-approve access levels.

  • SQL databases: SELECT on specified schemas only
  • REST APIs: GET requests only, no POST/PUT/DELETE
  • Cloud platforms: Read-only IAM roles
  • File systems: Read access to specified paths only
How it works

ATP provides a pre-assessment permission worksheet listing exact permissions needed for each system. Your team configures access; ATP validates it meets minimum requirements without exceeding them.

B

Data residency & sovereignty

Your data never leaves your environment. ATP processes everything locally - we receive only non-sensitive telemetry for operational purposes.

Customer-Controlled Storage

Guaranteed

All business data - system configurations, stakeholder interviews, assessment findings, credentials - is stored exclusively in your environment. S2T systems never receive or store this information.

  • Assessment results stored in your local file system or database
  • Credentials stored in your local vault (never transmitted)
  • Interview recordings and transcripts stored locally
  • Generated documents saved to your specified location
How it works

ATP runtime operates entirely within your network perimeter. Outbound connections are limited to: (1) Your LLM provider for inference, (2) S2T control plane for licensing and methodology updates only. Business data transmission is architecturally impossible - the runtime has no code paths that send customer data externally.

Non-Sensitive Telemetry Only

Transparent

The only data transmitted to S2T is operational telemetry: feature usage counts, error rates, and performance metrics. Never business data.

  • Feature usage: "voice interview conducted" (not content)
  • Performance: "query completed in 2.3s" (not query content)
  • Errors: exception types (not data that caused them)

What We Never Receive

Guaranteed

To be explicit about boundaries: S2T never receives or has access to any of the following data types.

  • Database records, schemas, or query results
  • Credentials, API keys, or access tokens
  • Interview recordings, transcripts, or summaries
  • Assessment findings or generated documents
C

Flexible deployment lifecycle

Keep ATP as long as it's useful. Many organizations retain it as an ongoing knowledge base and project accelerator - with full control to remove at any time.

Deploy for as Long as You Need

Your Choice

ATP is designed for ongoing use - not just one-time assessments. Keep it running to document new projects, onboard teams, or accelerate future transformations.

  • Single executable with no system dependencies
  • No registry entries, services, or persistent processes
  • Lightweight resource footprint for continuous operation
  • Reuse across multiple projects and assessments

Instant Stop Control

Always Available

Stop or pause ATP immediately at any point. A single command terminates all processes with optional data retention for future use.

  • Immediate process termination
  • Preserve data for future sessions (optional)
  • No orphaned processes or connections
  • Works even if network is disconnected

Complete Removal When Ready

Verifiable

When you're done - whether after one project or years of use - remove ATP completely with verification you can audit.

  • Single-command complete uninstall
  • Deletion manifest with cryptographic hashes
  • Verification script to confirm no remnants
  • Works with your existing data destruction policies
How it works

ATP is self-contained by design. All data lives in a single directory. The uninstall process: (1) Terminates all ATP processes, (2) Enumerates all ATP-created files, (3) Securely deletes each item with verification, (4) Generates a signed manifest listing every deleted item with before/after hashes, (5) Runs verification scan to confirm no ATP artifacts remain.

D

Auditability

Every action ATP takes is logged. Full visibility into what was accessed, when, and by whom - exportable for your compliance requirements.

Full Activity Logs

Complete

Comprehensive logging of all ATP operations with timestamps, user context, and data access details.

  • Every system query logged with timestamp and target
  • User actions tracked (who initiated what)
  • Data access patterns documented
  • LLM prompts and responses logged (stored locally)
How it works

ATP maintains an append-only audit log in your environment. Logs are tamper-evident (each entry includes hash of previous entry). Export to SIEM, compliance systems, or review directly. Retention period configurable to match your policies.

Log Category
What's Captured
Retention
System Access
Target system, query type, timestamp, user
Configurable (default: 90 days)
User Actions
Action type, parameters, outcome, timestamp
Configurable (default: 90 days)
LLM Interactions
Prompt hash, model used, token count, timestamp
Configurable (default: 90 days)
Data Usage
Data type accessed, purpose, scope
Configurable (default: 90 days)
E

AI & LLM controls

Complete control over AI usage. Your models, your API keys, your data - with guarantees about how your information is used in AI operations.

Bring Your Own LLM

Required

ATP requires you to provide LLM access. We don't provide AI services - you use your existing provider relationship.

  • Your API keys, stored in your environment
  • Your provider relationship (OpenAI, Anthropic, Azure, etc.)
  • Your billing - no markup from S2T
  • Your model selection and version control

No Model Training on Customer Data

Guaranteed

Your data is never used to train, fine-tune, or improve any AI models. Period.

  • S2T never receives your prompts or responses
  • Your LLM provider terms apply (choose providers with data protection)
  • No data aggregation across customers
  • No secondary use of assessment data

Prompt Isolation

Architectural

Each assessment operates in complete isolation. No data leakage between assessments, sessions, or customers.

  • Per-assessment context boundaries
  • No shared prompt history
  • No cross-session memory (unless explicitly enabled)
  • Session data cleared on completion
How it works

ATP creates isolated execution contexts for each assessment. Prompts include only data from the current assessment scope. No context persists between sessions unless you explicitly enable memory features - and that memory stays in your environment.

Questions about security?

We're happy to walk through our security architecture with your team. Schedule a technical deep-dive or request our security documentation package.

Schedule Security Review Request Security Docs