Security
Security & governance
SeaGoat is designed for enterprise security from the ground up. This page outlines our security architecture, data handling practices, and compliance roadmap. We operate on a principle of transparent security: what we have, what we're building, and what we commit to for enterprise deployments.
Security posture
SeaGoat operates under a controlled deployment model with defined data boundaries, phased rollouts, and explicit access controls. Our architecture supports pilot deployments with clear paths to enterprise hardening (vendor review support, expanded SSO/IdP options, expanded RBAC).
Pilot deployments run in isolated environments with:
- –Limited, defined access scope
- –Explicit data boundaries per engagement
- –Phased rollout with technical validation gates
We support technical diligence reviews and work directly with security teams to address specific control requirements and compliance frameworks.
Data handling
Evidence storage & lineage
All assessment evidence (photos, documents, annotations) is stored with complete lineage tracking. Every finding traces back to source evidence. Every cost item links to a finding. Every report section cites its inputs.
Training data separation
Customer assessment data is never used for model training. We run on paid enterprise AI tiers, where the provider's terms prohibit training on your inputs. Development and testing rely on synthetic datasets and public references only. Your data stays yours. We don't learn from it.
Data isolation
Each client gets their own pack. Your process, verbiage, language, cost structure, and report formats are isolated. Other clients cannot see your configuration or outputs. We do not share workflows, templates, or assessment logic across engagements.
Environment isolation
Production and staging environments are fully separated with distinct data stores, credentials, and access controls. Test data never impacts live workflows.
Data residency & encryption
We host customer assessment data on enterprise US cloud infrastructure, encrypted in transit (TLS) and at rest. We share specific provider, region, and architecture details with your security team during vendor review.
Credential management
Secret storage
API keys and credentials are stored in secret storage or environment variables, never hardcoded in code or config. Secrets are environment-specific and access-controlled.
Access control
Access follows least-privilege principles. Users and systems receive only the permissions required for their specific role. Credential access is logged for audit purposes.
- –Single sign-on with Google and Microsoft accounts, live today.
- –Role-based access is live and covered by automated tests: admin, reviewer, user, and subcontractor roles, per-workspace membership, subcontractors see only assigned work.
Development security
Development environments use separate, restricted credentials. Production secrets never appear in development, testing, or version control systems.
Auditability & governance controls
Human-in-the-loop architecture
All outputs require human review and approval before finalization. The system enforces review workflows. AI suggestions become approved findings only after explicit human validation.
Audit trail
We log action, detail, timestamp, user identity, and override rationale for approvals, overrides, and modifications.
Quality gates
Export and report generation are blocked when required fields are missing or validation rules fail. Incomplete or unverified data cannot ship to final outputs.
Traceability
Complete provenance chain from evidence → finding → cost → report. Any output can be traced back to its source evidence and approving reviewer.
Tested, not just configured
Isolation you can verify.
Your workspace is isolated, and automated tests prove it on every release.
Backups we actually restore.
Daily backups with point-in-time recovery, for your data and your uploaded files, and we test that the restore works.
Enterprise roadmap
Planned capabilities
The following capabilities are on our enterprise roadmap. We do not claim they are available today. This section exists to show our commitment to transparent security and give you visibility into our build priorities.
Expanded SSO / IdP support
SAML 2.0 and expanded IdP support (Okta).
Expanded RBAC
Expanded granular permissions and separation-of-duties tooling.
Advanced retention controls
Configurable retention policies, automated deletion schedules, and legal hold support.
Single-tenant deployment option
Isolated infrastructure for organizations requiring dedicated environments.
SOC 2 Type II certification
Currently in audit preparation.
Vendor security review support
Dedicated support for security questionnaires, penetration testing coordination, and compliance documentation.
Timeline: These capabilities ship as requirements and engagement scale dictate, not on a fixed calendar. We prioritize based on enterprise interest and rollout timelines.
Compliance & certifications
Current status
SeaGoat operates under secure development practices with plans for formal compliance certification as deployments scale.
In progress
- –SOC 2 Type II audit preparation
- –Security documentation and control framework implementation
On engagement
We support organization-specific security requirements through dedicated technical reviews, questionnaire responses, and remediation planning. For compliance requirements specific to your organization, we work directly with your security team to address gaps and provide evidence of controls.
For technical diligence, we can walk through controls, boundaries, and roadmap in detail.
Get in touch