Founding-partner program now open · request a scoped proof →
Security & trust

Built so your security team can say yes.

SidentiQ was architected for the most regulated environments on earth — outbound-only, customer-controlled keys, and evidence you can verify without trusting us. Here's exactly how.

How we're built

Security isn't a feature here — it's the architecture.

Three decisions made on day one that you can't bolt on later.

Outbound-only by design

A customer-managed gateway dials out over mutual TLS. No inbound ports, no VPN, no firewall exceptions. For restricted, on-premises, and high-compliance environments, deployment is scoped around your approved outbound paths during the proof.

Your keys, your storage

Evidence is hash-chained, signed, and written to storage you own — your S3 bucket, your Object Lock, your retention. We never hold the only copy, and you can verify the chain entirely offline.

Least privilege, always

The connector requests the minimum scopes it needs, per system, and every action it takes is itself logged into the same tamper-evident chain. The tool that governs access is held to the same standard.

Where your data goes

The short version: it stays with you.

SidentiQ orchestrates and proves — it doesn't become a new copy of your identity data to worry about.

Your systems
Okta · Entra · AWS · LDAP
outbound mTLS
Your gateway
Customer-managed
hash + sign
Your storage
Your S3 + Object Lock

Evidence is sealed at the gateway and lands in your own bucket. Nothing about the design requires you to trust SidentiQ as the custodian of record — the proof is yours, and it's verifiable without us.

Compliance posture

Honest about where we are.

We're an early-stage company and we won't claim certifications we don't have. Here's the real status — and the architecture is designed to map cleanly onto each framework.

SOC 2 Type II
readiness in progress
NIST 800-53
designed to map · in progress
FedRAMP
informed · not authorized
HIPAA
supported by design
OWASP ASI
AI-agent governance

Status reflects current readiness, not formal attestation unless stated. We'll share our architecture and control mappings with prospective founding partners under NDA.

Questions security teams ask

The objections, answered.

Do you require inbound network access?+
No. The connector is outbound-only over mutual TLS — no inbound ports, no listening services exposed. This is what lets it fit restricted and high-compliance networks, scoped around your approved outbound paths. Disconnected or fully air-gapped patterns require a separate architecture review.
Where is our evidence actually stored?+
In storage you own — typically your own S3 bucket with Object Lock enabled. SidentiQ writes hash-chained, signed records there. You hold the data and the keys; the chain is verifiable offline, independent of us.
Does this replace our existing IGA?+
No — and that's deliberate. SidentiQ runs alongside SailPoint, Okta, Entra, Saviynt, and legacy systems, adding cryptographic proof, hard-to-reach coverage, and AI-identity governance on top. Nothing gets ripped out.
How do you handle AI agents and non-human identities?+
They're first-class. SidentiQ discovers service accounts, API tokens, and AI agents across tenants, scores their risk, and brings them under the same lifecycle, certification, and evidence controls as human identities — aligned to OWASP ASI.
What can we see before committing?+
A scoped 30-day proof in your own environment — one workflow, one system, one test population. You see real results and an auditor-grade evidence pack before any broader commitment.
Talk to us

Bring your hardest security question.

We'd rather have the deep architecture conversation early. Founding partners get our full control mappings and a hands-on technical review.

Request a scoped proof See the platform