Login
Request Access

Security

Security & governance

SeaGoat is designed for enterprise security from the ground up. This page outlines our security architecture, data handling practices, and compliance roadmap. We operate on a principle of transparent security: what we have, what we're building, and what we commit to for enterprise deployments.

Security posture

SeaGoat operates under a controlled deployment model with defined data boundaries, phased rollouts, and explicit access controls. Our architecture supports pilot deployments with clear paths to enterprise hardening (SSO, RBAC, vendor review support).

Pilot deployments run in isolated environments with:

  • Limited, defined access scope
  • Explicit data boundaries per engagement
  • Phased rollout with technical validation gates

We support technical diligence reviews and work directly with security teams to address specific control requirements and compliance frameworks.

Data handling

Evidence storage & lineage

All inspection evidence (photos, documents, annotations) is stored with complete lineage tracking. Every finding traces back to source evidence. Every cost item links to a finding. Every report section cites its inputs.

Training data separation

Customer inspection data is never used for model training. Development and testing rely on synthetic datasets and public references only. Your data stays yours—we don't learn from it.

Data isolation

Each client gets their own pack—your process, verbiage, language, cost structure, and report formats are isolated. Other clients cannot see your configuration or outputs. We do not share workflows, templates, or inspection logic across engagements.

Environment isolation

Production and staging environments are fully separated with distinct data stores, credentials, and access controls. Test data never impacts live workflows.

Credential management

Secret storage

API keys and credentials are stored in secret storage or environment variables—never hardcoded in code or config. Secrets are environment-specific and access-controlled.

Access control

Access follows least-privilege principles—users and systems receive only the permissions required for their specific role. Credential access is logged for audit purposes.

Development security

Development environments use separate, restricted credentials. Production secrets never appear in development, testing, or version control systems.

Auditability & governance controls

Human-in-the-loop architecture

All outputs require human review and approval before finalization. The system enforces review workflows—AI suggestions become approved findings only after explicit human validation.

Audit trail

Today we log action, detail, and timestamp for approvals, overrides, and modifications. User identity, rationale for overrides, and original-to-final value tracking are planned for enterprise deployments.

Quality gates

Export and report generation are blocked when required fields are missing or validation rules fail. Incomplete or unverified data cannot ship to final outputs.

Traceability

Complete provenance chain from evidence → finding → cost → report. Any output can be traced back to its source evidence and approving reviewer.

Enterprise roadmap

Planned capabilities

The following capabilities are on our enterprise roadmap. We do not claim they are available today—this section exists to show our commitment to transparent security and give you visibility into our build priorities.

SSO integration

SAML 2.0 and OAuth support for Okta, Azure AD, and Google Workspace.

Role-based access control (RBAC)

Granular permissions (Inspector, Reviewer, Admin, Auditor) with separation of duties enforcement.

Advanced retention controls

Configurable retention policies, automated deletion schedules, and legal hold support.

Single-tenant deployment option

Isolated infrastructure for organizations requiring dedicated environments.

SOC 2 Type II certification

Currently in audit preparation.

Vendor security review support

Dedicated support for security questionnaires, penetration testing coordination, and compliance documentation.

Timeline: These capabilities ship as requirements and engagement scale dictate—not on a fixed calendar. We prioritize based on enterprise interest and rollout timelines.

Compliance & certifications

Current status

SeaGoat operates under secure development practices with plans for formal compliance certification as deployments scale.

In progress

  • SOC 2 Type II audit preparation
  • Security documentation and control framework implementation

On engagement

We support organization-specific security requirements through dedicated technical reviews, questionnaire responses, and remediation planning. For compliance requirements specific to your organization, we work directly with your security team to address gaps and provide evidence of controls.

For technical diligence, we can walk through controls, boundaries, and roadmap in detail.

Get in touch