Six commitments built into the architecture
These are not policies written after the fact — they are design constraints baked into how Sentinel operates.
Static Analysis Only
Sentinel never executes your code. Analysis is performed entirely through AST parsing, file reading and pattern matching — no runtime calls, no side effects, no network access from your repository.
No Persistent Code Storage
Your repository is cloned temporarily for the duration of the scan and discarded immediately after. Source code is never written to a permanent store. Only findings and artefacts are retained.
Deterministic Rule Engine
No large language models are used in the compliance assessment pipeline. Every finding is produced by a deterministic, versioned rule engine — the same input always produces the same output.
Cryptographic Output Integrity
Every audit bundle is signed with RSA-PSS and includes a SHA-256 manifest of all output files. Any post-signature modification of the output is immediately detectable.
No Training Use
Source code and all content you submit is never used to train, fine-tune or evaluate machine learning models. This is both a contractual and technical commitment.
EU Jurisdiction
Sentinel is operated within EU jurisdiction. Data processing is governed by GDPR. A Data Processing Agreement is available on request.
What happens to your code
Every step from submission to deletion, with no hidden stages.
Certifications & compliance
GDPR Compliance
ACTIVERegulation (EU) 2016/679
ISO/IEC 42001:2023
ALIGNEDAI Management Systems
EU AI Act Art. 9
COMPLIANTRisk Management System
SOC 2 Type II
IN PROGRESSTrust Services Criteria
ENISA AI Guidelines
ALIGNEDEU Agency Guidelines 2025
NIS2 Directive
ALIGNEDNetwork & Information Security