Trust
Security & Data Handling
Last updated: June 8, 2026
A plain-language summary for security reviewers evaluating enclavai.io and the EnclavAI product. This is not a System Security Plan (SSP) and does not replace your own assessment.
Two surfaces
| Surface | Where data lives | CUI? |
|---|---|---|
| Public website & free tools | Your browser; Vercel CDN; optional Supabase/PostHog for forms & analytics | Do not submit CUI here |
| Self-hosted EnclavAI | Inside your VPC, GovCloud/Azure Gov sub, or air-gapped enclave | Designed to operate under your CUI program |
STIG Readiness Scorer (free tool)
- Checklist parsing and scoring run 100% in your browser
- No upload of .ckl / .cklb / XCCDF / SCAP / .nessus content to EnclavAI servers
- Optional analytics may record page views — never file content
Pilot request form
- HTTPS in transit
- Stored in Supabase (US-hosted project) with row-level security — public insert only, no public read
- Triggers an email notification via Resend to our team
- Collect business contact fields only — not STIG files or CUI
Self-hosted product (summary)
When you deploy EnclavAI in your boundary, the product is designed around:
- Zero egress — application-layer guard on outbound URLs; optional network-layer iptables lock (IPv4+IPv6 OUTPUT DROP) in Docker deployments
- Local inference — Ollama on-host or containerized; no cloud LLM calls
-
Human approval gate — generated remediation stays in
draftuntil an approver decides - Deterministic safety scan — destructive-command backstop across bash, PowerShell, and Ansible output
- Tamper-evident evidence — HMAC-signed packages with canonical JSON digests for assessor export
- RBAC — signed bearer tokens; admin / analyst / read-only roles
Technical deployment detail lives in the product repository documentation (Docker Compose, GovCloud and air-gap runbooks, Terraform). Your SSP and ATO package should describe the instance you operate.
Hosting & headers (public site)
enclavai.io is served via Vercel with security headers including:
X-Content-Type-Options: nosniffX-Frame-Options: DENYReferrer-Policy: strict-origin-when-cross-origin- Restrictive
Permissions-Policyfor camera, microphone, and geolocation
Incident & vulnerability reports
Report suspected security issues to support@gnukumcloudsolutions.com. Please include steps to reproduce and avoid submitting CUI in the report.