// SECURITY

Built for teams whose compliance reviewer
reads every commit.

SysNav earns its place in regulated environments by leaving your keys where they belong — with you.

// SIX PILLARS

How SysNav keeps secrets, secret.

Local-first by design

SSH keys, credentials, and env vars never leave your device. The shell runs on your machine; the AI orchestrator sees only redacted, ephemeral context.

Zero retention

Prompts and completions are purged from our infrastructure within 30 seconds of response. Nothing persisted. Verified quarterly by third-party audit.

Redaction pipeline

An on-device scrubber strips RFC-compliant key formats (AWS, GCP, Stripe, JWT, etc.) and custom patterns before any token is sent upstream.

BYO LLM

Route prompts to OpenAI, Anthropic, Azure OpenAI, Bedrock, or a self-hosted model (Llama, Mistral). Per-org, per-user, or per-command policy.

Tamper-evident audit

Every command, approval, and AI context is streamed to your S3 / GCS bucket, hash-chained, and signed. Exportable in CEF or JSON.

Policy engine

Declarative rules enforced at the agent layer: deny-patterns, time-windows, approval chains, and region-scoped restrictions. Testable via CI.

// COMPLIANCE

Frameworks, status, reality.

FRAMEWORK

STATUS

STAGE

SOC 2 Type II

Audit in progress · Q3 2026

In progress

GDPR

EU-resident data stays in EU. DPA available.

Compliant

HIPAA

BAA available on Enterprise. PHI redaction on.

Ready

ISO 27001

Scoped for Q1 2027 audit.

Roadmap

FedRAMP Moderate

Under assessment via GovCloud.

Exploratory

PCI-DSS

Self-hosted deployments only. Reference arch available.