Where does respondent and research program data reside for multilingual / RTL workloads?

Hosting geography, tenancy boundaries, and residency commitments are surfaced during contracting. Multilingual respondent experiences reuse the same workspace isolation, RBAC boundaries, retention policies, AI routing rules, export controls, and audit trails—localized copy increases confidentiality scope, which is explicitly governed—not treated as bolt-on UX.

Can we keep inference and LLM workloads entirely inside our VPC or offline estate?

Yes—private licensed deployments are expressly designed around your trust perimeter, including offline model execution pathways when mandated. Dedicated/hybrid customers negotiate routing to approved endpoints; Sentink Cloud customers review subprocessors plus integration contracts governing inference.

Do survey responses automatically train third-party foundational models?

Model usage posture depends on integrations, contractual terms in effect, deployment mode, vendor stack, and your approved vendors. Procurement teams receive documentation suitable for DPIA/DPA workflows; we prohibit hand-wavy “trust us” language and insist on enumerated paths in enterprise security artifacts.

How do automation platforms (such as integrations you approve for orchestration) fit the threat model?

Automation touches the same guarded integration seams as analytics exports—scoped credentials, audited triggers, egress policy alignment, and least-privilege connectors. Operational ownership is partitioned so customer automation cannot silently bypass tenancy or persistence boundaries established in onboarding.

Which artifacts should we attach to supplier risk files on day one?

Start with subprocessors listing, executed DPA/Privacy refs, enterprise architecture narrative (this page + design session outputs), SLA or order-form security annexes once issued, changelog review for materially relevant releases, plus any DPIA questionnaires your regulator demands—we supply tailored CAIQ-lite answers via your engagement lead.

SOC 2 Type II logos are absent—what should we tell our assurance team?

Formal attestation timelines are roadmap items discussed transparently under NDA, alongside scope (products, regions, subcontractor carve-outs). Committees should grade Sentink on present controls engineering, datapath specificity, multilingual governance, penetration test expansions available for regulated workloads, incident posture, logging clarity, deployment choice—not purchased badges alone.

Trust & assurance

Security & infrastructure you can defend in a procurement room.

Sentink is secure multilingual AI research infrastructure for regulated teams—deployed on regional SaaS, tenant‑exclusive footprints, or private air‑gapped estates. Procurement rarely buys slide decks; it buys evidence. Here is how Sentink aligns with committee scrutiny: deliberate separation between ingestion, workspaces, persisted research data, AI routes, multilingual exports, automation seams (such as integrations you approve), and operations you can cite in security reviews.

Architected separation between edge, application, tenancy, persistence, AI routing, and multilingual respondent experiences.
Deployment choice—regional SaaS, dedicated/hybrid, or private licensed instances—without rewriting research programs when you graduate across models.
Identity, access, auditing, retention, automation hooks, and LLM oversight described in plain procurement language with artifacts (DPA, subprocessors, enterprise design sessions).

Deployment footprint

Choose the posture that fits your regulators and board.

The same core product adapts across hosting models—so you can graduate from cloud to sovereign or private installs without rewriting your research programs.

Regional SaaS

Sentink Cloud (dedicated‑server tenancy)

Predictable monthly tiers, shortest time‑to‑value, and hardened shared infrastructure—with strict logical isolation between tenants and regional hosting options documented in onboarding.

TLS end‑to‑end to the edge; hardened platform updates on a published cadence.
Operational monitoring and incident workflows suitable for SaaS SLA discussions.
Fast path for pilots while legal reviews a longer‑term sovereign option in parallel.

Dedicated · hybrid

VPC / tenant‑exclusive infrastructure

For teams that require dedicated network paths, quieter neighbors, or customer‑controlled network integration while still benefiting from Sentink‑operated automation.

Network integration patterns (IPs, egress allow‑lists, private connectivity) negotiated with your infra team.
Clear ownership matrix for patching, backups, and monitoring.
Bridges cleanly to SSO and corporate logging pipelines.

Private · air‑gapped

Enterprise / licensed instance — your metal

Full separation: code runs entirely inside boundaries you attest. Ideal where model usage, egress, evidence exports, or national cloud rules disallow multi‑tenant SaaS.

Bring your KMS / vault patterns; bake retention and legal hold into your archives.
Optional fully offline workflows for model execution when your policy demands it.
Release engineering aligned with your CAB instead of ours.

Soc 2 · ISO roadmap (plain language)

Formal certifications are timelines, not vibes. Sentink aligns engineering and documentation practices toward SOC 2 Type II‑style attestations with a target roadmap discussed under NDA—and ISO 27001 alignment staged thereafter. Your RFP deserves dates and scope—not logos purchased before controls exist.

AI data governance

Inference, egress, and multilingual research data—by deployment mode.

Regulated buyers evaluate LLM risk the same way they evaluate storage: who operates the plane, what can leave the boundary, and how AI evidence is retained. The table below summarizes how Sentink aligns those answers across common deployment postures—precise routing is confirmed in enterprise technical design and contracts.

Comparison of operator boundary, AI inference posture, egress stance, and observability across Sentink deployment models.
Footprint	Operator & trust boundary	AI / LLM routing	Default egress posture	Logs & integrations
Sentink Cloud (regional SaaS)	Sentink operates the platform on dedicated-server tenancy with documented regional hosting options surfaced during contracting.	Model assistance may route via approved integrations/subprocessors you review; private-model postures are constrained by contract and onboarding design.	No “silent” egress story—allow lists, integration seams, and lawful export paths are enumerated instead of ad-hoc tunnels.	Operational monitoring suitable for SaaS SLAs; webhook/export/SIEM ingestion attach at documented seams per your security pack.
Dedicated / hybrid VPC-style	Tenant-exclusive infrastructure with quieter multi-tenant neighborhoods and customer-steered networking for sensitive programs.	Inference patterns align to VPC constraints; BYO endpoints and policy-driven routing are common discussion topics with your infra/security teams.	Private connectivity, IP allow lists, and negotiated egress controls—ideal when national cloud or sovereignty reviews run in parallel with pilots.	Ownership splits for patching/backups monitoring are explicit; bridges to corporate IdP and SOC pipelines are first-class.
Enterprise private / licensed	Workloads run entirely inside boundaries you attest—air-gapped workflows optional when regulators disallow shared SaaS inference.	BYO LLM / on-prem inference is the default posture; models stay inside your trust zone unless you intentionally bridge outbound paths.	Your security team owns outbound policy—Sentink aligns change management with your CAB and evidence exports land in archives you govern.	Retention, legal hold, and SIEM ingestion inherit your KMS/vault posture; forensic narratives stay inside your tooling.

Multilingual RTL programs inherit the same access, workspace isolation, retention, export, and AI governance primitives—localized content expands the confidentiality surface area, which is why we pair language tooling with tenancy controls instead of treating “translations” as a cosmetic layer.

Reference architecture

Layered ingress, application, tenancy, persistence, and model usage.

We describe Sentink using separation of concerns auditors recognize: identities terminate at controlled edges, workloads execute in an application tier, tenancy is enforced as a hard boundary, persisted artifacts live in bounded stores, and any model assistance is mediated—not bolted onto CRUD endpoints without policy.

Logical layers—your exact topology is confirmed during enterprise technical design.

Regional hosting options apply to SaaS footprints; geo selection is surfaced during contracting.
Extensibility (webhooks, exports, SIEM ingestion) attaches at documented integration seams—not informal database access.
Operational runbooks differentiate platform maintenance versus customer‑configurable governance.

Isolation model

Tenant separation is contractual and technical—not aspirational.

Every enterprise survey vendor claims ‘multi‑tenant security’. Procurement teams should insist on specificity: namespaces, cryptographic boundaries, backups, restores, deletion programs, cross‑tenant test discipline, and what internal roles can theoretically touch tenant configuration.

Isolated namespaces / databases

Logical isolation enforced in product access paths; destructive cross‑tenant access is incompatible with baseline design assumptions.
Copy, export, and reporting flows honor workspace scope—preventing naive “admin sees everything” anti‑patterns in standard deployments.
Penetration test scope and datapath reviews can expand for regulated programs under NDA.

LLM governance

Model assistance with enterprise‑grade constraints.

AI should reduce time‑to‑insight—not create phantom data egress. Governance starts with minimizing prompts, forbidding unintended destinations, versioning prompt templates where applicable, retaining evidence of model usage proportional to risk, and giving humans review points before irrevocable outbound actions.

Deployment‑specific controls: SaaS integrations may route to approved inference endpoints; private installs can terminate at your local model estate.
Human‑readable rationale and provenance cues for surfaced suggestions—explainability tied to respondent text and configuration, not astrology.
Optional workflow gates for actions that materially change respondent experience or outbound messaging.

Data lifecycle & AI explainability

Retention you can negotiate; insights you can verify.

Retention is simultaneously a GDPR/PDPA topic and a board topic. Sentink supports policy conversations: minimum necessary storage, timelines for respondent artifacts, respondent deletion/export flows constrained by lawful bases, archival for litigation, and research integrity for longitudinal programs.

Explainability emphasizes traceability—what texts and settings caused a ranked summary—not unverifiable “black magic”.
Exports support audit packs and reproducibility discussions with your methodological leads.
Enterprise deployments align backup and DR targets to your RPO/RTO instead of anonymized SaaS averages.

Access · audit · identity

SSO/SAML‑ready identity, least‑privilege structure, observable administration.

Modern access control is federation at the front door, fine roles inside the product, MFA expectations aligned with your IdP vendor, quarterly access reviews aided by telemetry, and immutable‑leaning audit logs suitable for SOC2‑style narratives—exact implementation matrices depend on your edition and footprint.

SCIM‑style lifecycle patterns can be prioritized on enterprise timelines where HRIS integration is mandated.
Administrative mutations leave forensic breadcrumbs for security operations centers.
Break‑glass and emergency access narratives are accommodated in regulated environments upon request.

Operations & resilience

Incident coordination, patching cadence, and continuity—without marketing absolutes.

Committee buyers care what happens during failure modes: patching velocity, forensic logging continuity, escalation paths to your SOC, and contractual incident posture. Exact SLAs vary by SKU and geography; we articulate them in onboarding packs for enterprise footprints instead of implying one-size timelines on marketing copy.

Incident workflows: Roles, escalation, and mutual notification checkpoints are spelled out with enterprise counterparts per order form—not hidden behind generic uptime claims.
Coordinated vulnerability handling: Disclosure expectations and timelines are shared via your commercial/security engagement alongside engineering contacts.
SaaS change discipline: Scheduled platform patching and observable release notes (see Changelog) keep CAB conversations grounded in fact.
Resilience narratives: SaaS adopts operational targets suitable for SLA discussions; private deployments inherit customer-defined backup/restore and DR objectives (RPO/RTO) articulated in contractual materials.
SOC integration: Telemetry exports toward corporate SIEMs or ITSM tooling are routed through negotiated integration seams to avoid unmanaged shadow integrations.

Procurement-ready answers

What security & legal reviewers ask early.

These summaries mirror how we onboard enterprise committees; deeper CAIQ-style responses and datapath attestations arrive under your standard NDA and technical design milestones.

Sentink Enterprise

When your committee asks “show us how”, this page starts the dialogue.

Talk enterprise architecture See subprocessors