§01Deployment tiers
Poliglot is available in two deployment tiers, plus a roadmap option for customer-controlled infrastructure.
Public cloud · default, open sign-up
Anyone can create a workspace on the public cloud. Workloads currently run in US regions, on shared, multi-tenant infrastructure operated by Poliglot. Workspaces are scoped at the application layer. All persistent stores are encrypted at rest with AES-256; data in transit is TLS 1.2+. Encryption is enforced at the organization level, so unencrypted stores cannot exist.
Private cloud · dedicated tenant
Private cloud is included with business and enterprise plans, and is the default for firms in regulated industries. It provides a dedicated-tenant deployment with its own logical database, its own object storage, and its own per-tenant encryption keys. Isolation is enforced at the storage and runtime layer.
Customer-VPC · on the roadmap
A customer-VPC deployment option (Poliglot running inside your own cloud account) is the next milestone after private cloud. Talk to us about requirements.
§02Data & isolation
The specifics of isolation depend on your deployment tier. Both tiers use per-workspace authorization and encryption everywhere; they differ in whether the underlying storage is shared or dedicated.
Public cloud
- Workspaces share underlying datastores. Authorization is enforced at the application layer.
- Data at rest is AES-256 with shared-tier keys.
- Data in transit is TLS 1.2+, including internal service-to-service traffic over mTLS.
Private cloud
- Dedicated logical database, dedicated object storage, per-tenant encryption keys.
- Cross-tenant access blocked at the storage-policy layer, not only in the application.
- Customer support access to tenant data is off by default; time-bounded audit record on every explicit grant.
§03AI model & training policy
Inference is always executed by third-party model providers. You may run Bring Your Own Model (you hold the provider account) or use our Managed Model Router (Poliglot holds agreements with supported providers and routes on your behalf). In either mode we contract (or pass through the customer's contract) for zero data retention, no training on customer data where the provider offers those terms, and reflect them in the DPA.
Data sovereignty
Your data is your data. Poliglot does not train, fine-tune, or evaluate AI models on customer workspace data, integration data, or execution history. This applies to every deployment tier and is not configurable.
§04Secret management
Connected-system credentials are encrypted in your browser before they leave the client, using X25519 ECDH and XChaCha20-Poly1305. The API receives ciphertext only.
At rest. Secrets are stored under envelope encryption with managed keys (AES-256-GCM). Plaintext is never persisted to disk.
In use. When an action needs a credential, the runtime decrypts it transiently into an ephemeral execution context, uses it, and clears it. Plaintext materializes briefly in server and runtime process memory during these paths.
§05Data handling & privacy
What we collect
The data you put into Poliglot (operating model definitions, engagement state, connected system configuration, inference inputs and outputs), plus product telemetry. No tracking identifiers following users across the web.
Retention
Customer workspace data is retained for the duration of your agreement. Operational logs are retained 365 days by default in production environments.
Export and deletion
Customer data is portable. On contract termination, data is deleted from primary storage within 30 days, and from backups within 30 days.
§06Compliance program
We publish our compliance status openly. The table below reflects the current state; target dates are honest targets, not marketing.
Priorities are negotiable. If a specific certification unlocks your deployment, email security@poliglot.io with the standard and timeline.
| Standard | Status | Target |
|---|---|---|
SOC 2 Type I Independent attestation that security controls are designed correctly at a point in time. | Planned | Q4 2026 |
SOC 2 Type II Attestation that controls are operating effectively over a continuous period. The report most enterprise security teams will ask for. | Planned | Target Q2 2027 |
SOC 1 (SSAE 18) Controls over financial reporting, relevant where Poliglot sits in workflows producing client financial work product. | Planned | Target Q2 2027 |
ISO 27001 International standard for information security management systems. | On Roadmap | Target 2027 |
HIPAA Administrative, physical, and technical safeguards for protected health information. | On Roadmap | Available on request |
FedRAMP U.S. federal authorization for cloud services, aligned with long-horizon defense and government commitments. | On Roadmap | Target 2028 |
§07Responsible disclosure
Report suspected vulnerabilities to security@poliglot.io. Include a description, steps to reproduce, and any relevant environment details.
We acknowledge reports within two business days, triage against customer impact, and coordinate disclosure with reporters in good faith. We do not pursue legal action against researchers who follow this policy.