Sensitive datanever leaves your tenancy.
How the platform is built — the architecture, the controls, and what we're willing to put in writing. This page is an evolving brief; ask us for the full security packet, sub-processor list, and current attestation roadmap.
Customer-held keys (BYOK)
Originals are encrypted with keys you hold in your KMS — AWS KMS, GCP KMS, or HSM. Logikol fetches a key per decryption request; revocation is immediate and irreversible from our side.
Split storage architecture
Encrypted originals live in one repository. Tokenized, format-preserving surrogates live in another. The two are linked only by a vault reference; an attacker would need both stores plus your KMS to recover plaintext.
Six-layer detection
Pattern + checksum, schema + tag, NER, vision (stamps/signatures/faces), context inference, and customer-defined rules — all run in parallel before any data is forwarded.
Signed audit trail
Every authorization, access, tokenization, and detokenization event is recorded and signed. Hand a regulator a verifiable export of any window in seconds.
Tenancy isolation
No cross-tenant ML training. No shared embeddings across customers. Your detection signals stay yours; your tokens are unique to your tenancy.
Deployment models
Logikol runs as managed multi-tenant SaaS (default), single-tenant dedicated VPC, or fully on-premises. Your data, your keys, your perimeter.
Frameworks & attestations
Our compliance posture is updated regularly. For our current attestation status — including in-progress reports, sub-processors, and data-residency options — get in touch and we'll send the latest packet under NDA.
This page is a placeholder for the full compliance matrix. Badges for SOC 2 Type II, HIPAA, GDPR, and other frameworks will be published here as attestations finalize. We don't list certifications we don't hold.