EU-hosted · append-only ledger · BYOK

Agents that leave a receipt.

Every agentic action — traceable, measurable, accountable. Five layers of governance hold this up: Security, Policy, Guardrails, Compliance, and an append-only Audit ledger.

The summary below is a starting point your vendor-review team can use today; full artefacts are available on request.

§ the governance stack

What governance looks like in production.

01SecurityBYOK · encryption · tenant isolation · EU-hosted
02PolicyRole-based policy · approval workflows · change controls
03GuardrailsAutonomy limits · human-in-loop · fail-closed gates
04ComplianceGDPR · EU AI Act · sub-processors · DPA
05Audit & ReceiptsAppend-only ledger · reversal entries · evidence export
§ architecture

Every request passes through four gates before it acts.

Agent actions follow a four-gate path — authenticated, policy-checked, executed, logged. A high-level view of the request path in production.

INBOUNDuser / apimTLS · OIDC · passkeyGATE 01auth & scope• SSO · OIDC · SAML• role-based access• tenant scope• session trackingGATE 02policy• autonomy limits• approval workflows• human-in-loop route• fail-closed on missingGATE 03action• tool-call executor• scoped credentials• retry with backoff• per-action loggingGATE 04ledger• append-only• reversal entries• actor · timestamp · outcome• CSV + JSON exportSYSTEM OF RECORDsap · epicsalesforce · stripeGATES FAIL-CLOSED · ACTIONS LOGGED BEFORE COMMITEU-HOSTED PRODUCTION · DATA SCOPED TO TENANTBYOK FOR AI PROVIDERS · KEYS SWAPPABLE PER ORG
§ trust posture

What we actually ship.

Your model keys, your control.

Bring your own Anthropic, OpenAI, Google, or xAI key at the org level. Swap or revoke any time — Kaiva uses your key only while you tell us to.

  • BYOK for Anthropic · OpenAI · Google · xAI
  • AES-256 at rest · TLS 1.3 in flight
  • Keys scoped to tenant, cached briefly

Every action, reviewable.

Agent actions write into an append-only impact ledger — UPDATE and DELETE are blocked at the database. Operators post a reversal entry referencing the original, so the full history survives.

  • Append-only · Postgres-trigger-enforced
  • Reversal entries reference originals
  • Actor · timestamp · outcome on every row

EU-resident by default.

Our production infrastructure is located in the EU. Self-hosted and multi-region deployments are on the roadmap — scoped per Order Form when customers need them.

  • EU-hosted production
  • No cross-region processing today
  • Sub-processor list on request

Responsible disclosure.

Found something concerning? Email us directly and we'll coordinate a fix. One inbox, human triage, fixes called out in release notes.

  • Coordinated disclosure · 24h ack
  • Fixes called out in release notes
  • Scoped test environments on request

No training on your data.

Kaiva does not train foundation models. Where enterprise options exist, we prefer no-training configurations with our model providers. Your inputs are subject to the provider's own terms — see the Privacy Notice.

  • No Kaiva-side model training
  • Prefer provider no-training settings
  • Retention purged per policy

A human reads every escalation.

Disclosure reports, vendor-review questions, and incident queries go straight to engineers — not an L1 queue. First reply within 24 hours, weekdays, London time.

  • One inbox · human triage
  • 24h first response
  • Fix status visible in release notes
§ controls matrix · excerpt

A starting point your vendor-review team can use today.

// controls matrix with regulatory references · full artefacts on request

IDControlRegulatory ref
AC-03Role-based accessRBAC · audit-logged permission changesArt. 14
CR-11Customer model keysBYOK for Anthropic · OpenAI · Google · xAIArt. 10
LG-04Append-only audit ledgerPostgres triggers · reversal entriesArt. 12
PO-02Approval workflowsAutonomy limits · human-in-loopArt. 9 + 14
RV-07ReversibilityLedger-backed reversal entriesArt. 14(4)
RT-09No training on customer dataKaiva does not train · provider settings preferredArt. 10(5)
DR-02Data retention + erasureConfigurable per category · GDPR export / deleteArt. 17
EN-04EncryptionAES-256 at rest · TLS 1.3 in transitArt. 10
§ trust docs

Vendor documents, on request.

Write to [email protected] for the current sub-processor register, DPA, and vendor-review artefacts. Formal audit reports (SOC 2, ISO 27001) are on the roadmap.

LegalDPA · on requestKaiva Data Processing Addendum available on request; sent once your controller details are confirmed.
PDF · on request
LegalSub-processor registerCurrent list of third parties that touch customer data, with purpose. Provided on request to [email protected].
On request
PrivacyPrivacy NoticeHow we handle personal data — cookies, retention, rights, contact. Public.
Web · /privacy
§ governance team

Write to us directly.

Vendor reviews, disclosures, coordinated incident response — one inbox, human read, 24-hour first response.

[email protected]