Security

Security & governance

SeaGoat is designed for enterprise security from the ground up. This page outlines our security architecture, data handling practices, and compliance roadmap. We operate on a principle of transparent security: what we have, what we're building, and what we commit to for enterprise deployments.

Security posture

SeaGoat operates under a controlled deployment model with defined data boundaries, phased rollouts, and explicit access controls. Our architecture supports pilot deployments with clear paths to enterprise hardening (vendor review support, expanded SSO/IdP options, expanded RBAC).

Pilot deployments run in isolated environments with:

  • Limited, defined access scope
  • Explicit data boundaries per engagement
  • Phased rollout with technical validation gates

We support technical diligence reviews and work directly with security teams to address specific control requirements and compliance frameworks.

Data handling

Evidence storage & lineage

All assessment evidence (photos, documents, annotations) is stored with complete lineage tracking. Every finding traces back to source evidence. Every cost item links to a finding. Every report section cites its inputs.

Training data separation

Customer assessment data is never used for model training. We run on paid enterprise AI tiers, where the provider's terms prohibit training on your inputs. Development and testing rely on synthetic datasets and public references only. Your data stays yours. We don't learn from it.

Data isolation

Each client gets their own pack. Your process, verbiage, language, cost structure, and report formats are isolated. Other clients cannot see your configuration or outputs. We do not share workflows, templates, or assessment logic across engagements.

Environment isolation

Production and staging environments are fully separated with distinct data stores, credentials, and access controls. Test data never impacts live workflows.

Data residency & encryption

We host customer assessment data on enterprise US cloud infrastructure, encrypted in transit (TLS) and at rest. We share specific provider, region, and architecture details with your security team during vendor review.

Credential management

Secret storage

API keys and credentials are stored in secret storage or environment variables, never hardcoded in code or config. Secrets are environment-specific and access-controlled.

Access control

Access follows least-privilege principles. Users and systems receive only the permissions required for their specific role. Credential access is logged for audit purposes.

  • Single sign-on with Google and Microsoft accounts, live today.
  • Role-based access is live and covered by automated tests: admin, reviewer, user, and subcontractor roles, per-workspace membership, subcontractors see only assigned work.

Development security

Development environments use separate, restricted credentials. Production secrets never appear in development, testing, or version control systems.

Auditability & governance controls

Human-in-the-loop architecture

All outputs require human review and approval before finalization. The system enforces review workflows. AI suggestions become approved findings only after explicit human validation.

Audit trail

We log action, detail, timestamp, user identity, and override rationale for approvals, overrides, and modifications.

Quality gates

Export and report generation are blocked when required fields are missing or validation rules fail. Incomplete or unverified data cannot ship to final outputs.

Traceability

Complete provenance chain from evidence → finding → cost → report. Any output can be traced back to its source evidence and approving reviewer.

Tested, not just configured

Isolation you can verify.

Your workspace is isolated, and automated tests prove it on every release.

Backups we actually restore.

Daily backups with point-in-time recovery, for your data and your uploaded files, and we test that the restore works.

Enterprise roadmap

Planned capabilities

The following capabilities are on our enterprise roadmap. We do not claim they are available today. This section exists to show our commitment to transparent security and give you visibility into our build priorities.

Expanded SSO / IdP support

SAML 2.0 and expanded IdP support (Okta).

Expanded RBAC

Expanded granular permissions and separation-of-duties tooling.

Advanced retention controls

Configurable retention policies, automated deletion schedules, and legal hold support.

Single-tenant deployment option

Isolated infrastructure for organizations requiring dedicated environments.

SOC 2 Type II certification

Currently in audit preparation.

Vendor security review support

Dedicated support for security questionnaires, penetration testing coordination, and compliance documentation.

Timeline: These capabilities ship as requirements and engagement scale dictate, not on a fixed calendar. We prioritize based on enterprise interest and rollout timelines.

Compliance & certifications

Current status

SeaGoat operates under secure development practices with plans for formal compliance certification as deployments scale.

In progress

  • SOC 2 Type II audit preparation
  • Security documentation and control framework implementation

On engagement

We support organization-specific security requirements through dedicated technical reviews, questionnaire responses, and remediation planning. For compliance requirements specific to your organization, we work directly with your security team to address gaps and provide evidence of controls.

For technical diligence, we can walk through controls, boundaries, and roadmap in detail.

Get in touch