Shadow Warden AI Trust Center
Security controls, compliance posture, and audit reports for the GDPR-compliant AI security gateway.
52 Security Controls
4 Compliance Frameworks
9 Pipeline Layers
<2ms Filter Latency
AI Filter Pipeline | 9 Controls
- Topological jailbreak detection (Betti numbers β₀/β₁)
- Obfuscation decoding (base64, hex, ROT13, homoglyphs)
- Secret and PII redaction (15 regex patterns + entropy scan)
- Semantic rule engine with compound risk escalation
- +5 more controls
Data Security | 7 Controls
- Encryption at rest (Fernet AES-128-CBC, HMAC-SHA256 reverse map)
- Encryption in transit (TLS 1.3 via Cloudflare QUIC/HTTP3)
- GDPR-compliant content never logged — metadata only
- Post-Quantum Cryptography (ML-DSA-65 + ML-KEM-768 hybrid)
- +3 more controls
Access Management | 7 Controls
- Per-tenant API key management (JSON multi-key + SHA-256 hash)
- Constant-time key comparison (timing-attack resistant)
- Fail-closed authentication at startup
- Multi-tenant workload isolation
- +3 more controls
Compliance & Privacy | 7 Controls
- GDPR Article 35 Data Protection Impact Assessment
- SOC 2 Type II evidence collection and control mapping
- ISO 27001:2022 full 93-control mapping with theme coverage
- Continuous compliance posture scoring (GDPR/SOC2/ISO/HIPAA)
- +3 more controls
Agentic SOC | 6 Controls
- SOVA autonomous AI operator (30 tools, Claude Opus, ≤10 iterations)
- MasterAgent multi-agent SOC coordinator (4 sub-agents)
- WardenHealer autonomous anomaly detection (OLS trend, Haiku triage)
- Agent injection chain detection with cryptographic attestation
- +2 more controls
Infrastructure Security | 6 Controls
- Cloudflare Zero Trust tunnel (QUIC/HTTP3, TOFU TLS pinning)
- Docker non-root user (UID/GID 10001, MCR Playwright base)
- Redis sliding window rate limiting (socket timeout hardened)
- Prometheus metrics + Grafana SLO alerts (P99, 5xx, availability)
- +2 more controls
Threat Intelligence | 5 Controls
- ArXiv LLM-attack paper monitoring with auto-synthesis
- Evolution Engine (Claude Opus auto-rule generation + ReDoS gate)
- CVE dependency scanner (OSV API, real-time advisories)
- Shadow AI discovery (18 providers, /24 subnet probe, DNS telemetry)
- +1 more controls
Vendor & Document Security | 5 Controls
- AI Vendor Governance Register with DPA tracking and expiry alerts
- Supplier AI risk composite scoring (5-criteria, peering-based)
- Prompt library injection screening via filter pipeline before save
- Document intelligence (SHA-256 Redis cache, 50 MB gate, 30s timeout)
- +1 more controls
AI Filter Pipeline
9 Topological jailbreak detection (Betti numbers β₀/β₁) implemented
Obfuscation decoding (base64, hex, ROT13, homoglyphs) implemented
Secret and PII redaction (15 regex patterns + entropy scan) implemented
Semantic rule engine with compound risk escalation implemented
ML semantic guard (MiniLM + Poincaré hyperbolic blend) implemented
Causal Bayesian arbitration (Pearl do-calculus) implemented
Phishing and social engineering detection implemented
Elastic Rate Scoring with differentiated shadow ban implemented
Progressive streaming fast-scan (400-char live-emit buffer) implemented
Data Security
7 Encryption at rest (Fernet AES-128-CBC, HMAC-SHA256 reverse map) implemented
Encryption in transit (TLS 1.3 via Cloudflare QUIC/HTTP3) implemented
GDPR-compliant content never logged — metadata only implemented
Post-Quantum Cryptography (ML-DSA-65 + ML-KEM-768 hybrid) implemented
Cryptographic audit trail (SHA-256 hash chain, SQLite WAL) implemented
STIX 2.1 tamper-evident transfer audit chain implemented
Atomic file writes (tempfile + os.replace) to prevent corruption implemented
Access Management
7 Per-tenant API key management (JSON multi-key + SHA-256 hash) implemented
Constant-time key comparison (timing-attack resistant) implemented
Fail-closed authentication at startup implemented
Multi-tenant workload isolation implemented
HMAC-SHA256 task token binding (cross-agent injection prevention) implemented
Role-based community membership (Owner, Admin, Member) implemented
Human-in-the-loop approval gate for high-impact actions implemented
Compliance & Privacy
7 GDPR Article 35 Data Protection Impact Assessment conducted
SOC 2 Type II evidence collection and control mapping implemented
ISO 27001:2022 full 93-control mapping with theme coverage implemented
Continuous compliance posture scoring (GDPR/SOC2/ISO/HIPAA) implemented
GDPR data purge API and ARQ cron scrub job implemented
Causal Transfer Guard (exfiltration risk blocked at P ≥ 0.70) implemented
Sovereignty attestation (HMAC-SHA256, 7-year Redis TTL) implemented
Agentic SOC
6 SOVA autonomous AI operator (30 tools, Claude Opus, ≤10 iterations) implemented
MasterAgent multi-agent SOC coordinator (4 sub-agents) implemented
WardenHealer autonomous anomaly detection (OLS trend, Haiku triage) implemented
Agent injection chain detection with cryptographic attestation implemented
Visual patrol (ScreencastRecorder + Claude Vision → MinIO) implemented
Scheduled SOC jobs (morning brief, threat sync, rotation check) implemented
Infrastructure Security
6 Cloudflare Zero Trust tunnel (QUIC/HTTP3, TOFU TLS pinning) implemented
Docker non-root user (UID/GID 10001, MCR Playwright base) implemented
Redis sliding window rate limiting (socket timeout hardened) implemented
Prometheus metrics + Grafana SLO alerts (P99, 5xx, availability) implemented
MinIO on-premises object store (no third-party data exfiltration) implemented
30-second graceful shutdown for in-flight requests implemented
Threat Intelligence
5 ArXiv LLM-attack paper monitoring with auto-synthesis implemented
Evolution Engine (Claude Opus auto-rule generation + ReDoS gate) implemented
CVE dependency scanner (OSV API, real-time advisories) implemented
Shadow AI discovery (18 providers, /24 subnet probe, DNS telemetry) implemented
Intel Bridge (ArXiv to Evolution sync, configurable interval) implemented
Vendor & Document Security
5 AI Vendor Governance Register with DPA tracking and expiry alerts implemented
Supplier AI risk composite scoring (5-criteria, peering-based) implemented
Prompt library injection screening via filter pipeline before save implemented
Document intelligence (SHA-256 Redis cache, 50 MB gate, 30s timeout) implemented
Employee AI training records with HMAC-SHA256 attestation implemented
Shadow Warden AI processes all data on-premises by default. The following third-party services are used only for the specific functions listed below.
| Subprocessor | Purpose | Data Region | Type |
|---|---|---|---|
| Anthropic | AI model inference (SOVA, Evolution Engine, visual patrol) | US | AI Provider |
| Cloudflare | Zero Trust tunnel, CDN, DDoS protection | Global | Network |
| Hetzner Cloud | VPS infrastructure hosting | EU (Germany) | Infrastructure |
| MinIO | On-premises S3-compatible object storage (self-hosted) | On-prem | Storage |
| Redis | Rate limiting, session memory, cache (self-hosted) | On-prem | Cache |
| PostgreSQL | Relational database (self-hosted) | On-prem | Database |
MinIO, Redis, and PostgreSQL run entirely on your infrastructure. No data ever leaves your environment for these services. Anthropic API calls are the only external LLM traffic and can be disabled for air-gapped deployments.
GDPR
GDPR Art. 35 DPIA
Data Protection Impact Assessment covering all processing activities
View document SOC 2
SOC 2 Type II Evidence Guide
Control mapping, auditor collection procedures, evidence bundles
View document ISO 27001
ISO 27001:2022 Control Matrix
93 controls across Organizational, People, Physical, Technological themes
View document Security
Security Model
9-layer defense model, OWASP LLM Top 10 coverage, full threat model
View document SLA
SLA Document
Pro 99.9% / Enterprise 99.95% uptime, P99 < 50ms, incident response
View document API
OpenAPI Specification
Full API reference — 562 endpoints, v6.8.0
View documentNeed a custom audit package or evidence bundle for your security review?
Request Audit Package