Skip to main content
Panopticore
Request early access
Trust & Compliance

Where we are on the trust roadmap.

Panoptic Systems is pre-seed and building toward design partner engagements. This page documents our current posture honestly so investors, partners, and prospective customers can answer their own diligence questions.

Current state

What we do today.

Security posture

VPC-first deployment, customer-managed signing keys (ECDSA P-256), fail-closed behavior, mTLS at the edge. Full details on the Security page.

Standards engagement

Formal submission to NIST on AI agent security (Docket NIST-2025-0035, February 2026). Read the comment.

Compliance roadmap

Where we're headed.

In scoping

SOC 2 Type II

Scoping underway. Target timeline will be published when confirmed. We will not claim SOC 2 status until the audit is complete and the report is issued.

Planned

Penetration testing

Third-party penetration testing will be scheduled as design partner engagements begin. Results will be available to partners under NDA.

Planned

Third-party security audit

Independent security audit will be conducted as part of the SOC 2 preparation process.

Data handling

How data flows.

Subprocessors

No subprocessors at this stage. Panopticore is designed for VPC-first deployment in customer infrastructure. Agent traffic, policy decisions, and Evidence Binders remain in the customer's environment.

Data residency

Panopticore deploys in your VPC. Data residency is determined by your infrastructure choices, not ours.

Data retention

Event data and Evidence Binder retention is customer-controlled. Panopticore does not impose retention limits. Your data lifecycle policies apply.

Contractual posture

What we can sign.

DPA

Data Processing Agreement available on request.

BAA

Business Associate Agreement available for healthcare deployments.

MSA

Master Service Agreement template available on request.

Incident response

If something goes wrong.

  • Acknowledgment: Security reports acknowledged within 2 business days
  • Customer notification: Affected customers notified within 72 hours of confirmed security incident
  • Disclosure: Public disclosure after remediation, coordinated with affected parties

Need trust documentation?

Request our trust package for your diligence review.

Request trust documentation