Security & operations

Designed for enterprise change-management.

SovereignEG is engineered to support enterprise governance from day one and is on a path toward formal compliance attestations. Below is exactly which controls ship in product today and which are explicit design goals — nothing more, nothing less.

TLS in transit

on every public endpoint

Audit-logged

every key, member, model

RBAC + project isolation

enforced server-side

Designed for PDPL

Egypt-hosted sovereign tier

Controls

What ships today — and what is on the active roadmap.

We mark items with a check when they are in product right now, and with a circle when they are explicit design goals — not yet formal certifications.

Ships today

In product, right now

Live in production and reachable through the public API and dashboard.

  • Encryption everywhere

    TLS in transit on every public endpoint; encrypted-at-rest Postgres + Redis on managed infrastructure.

  • Append-only admin audit log

    Every key create, key revoke, member change, and model update lands in a platform audit log.

  • RBAC + project isolation

    Two-tier orgs / projects with preset roles, enforced server-side on JWT and API-key traffic alike.

  • Per-key spend caps & IP allow-lists

    Hard monthly EGP ceilings per project, per-key IP restrictions, one-shot reveal, and instant revoke.

Design goals

On the active roadmap

Explicit commitments tied to the sovereign tier and the formal security review.

  • Egypt PDPL alignment

    Designed to support the Egypt Personal Data Protection Law and sector-specific residency rules on the sovereign tier.

  • SOC 2 / ISO-style controls

    On the roadmap for the Egypt-hosted sovereign deployment as the platform matures and customer-driven audits begin.

  • Written security review + DPA

    Enterprise pilots receive a current security review and a draft Data Processing Agreement template on request.

Operations

Operated in the open.

We publish what is live, what is upstream-routed, and what requires a sovereign hosting agreement. Formal SLA and status-history pages follow once we have enough operating history to publish honestly.

Status

Beta

Invite-first rollout

Trusted teams onboard with hands-on support and conservative rate and spend limits.

Routing

Transparent

Standard routing today

Public model cards disclose live status, provider, context window, and EGP pricing.

Support

Human

Direct engineering support

Our team can trace request IDs, audit events, and routing during the beta phase.

Provider transparency

Standard inference requests may be routed to vetted upstream model providers. Dedicated Egypt-hosted deployments are available on request for regulated workloads. The full disclosure is published in the legal pack.

Read the disclosure

Security researchers

Report a vulnerability

If you believe you have found a security issue, email support@sovereigneg.com with steps to reproduce, impact, and your contact details. We acknowledge reports within five business days and will not take legal action against good-faith research that follows this policy.

Reference

Documents & legal pack.

The current text versions ship at these URLs. Formal PDFs accompany the security review on request — ask, and we will send the latest pack.

Privacy Policy

What we collect, how we process, and where data lives.

Read

Terms of Service

Account, billing, and usage terms.

Read

Acceptable Use Policy

What workloads are in-scope, and what is explicitly out.

Read

Provider Disclosure

Where requests can be routed and how the sovereign tier differs.

Read

Need the formal security review?

We send it — with the DPA template — on request.

Tell us a little about your organisation and the sector you operate in. We reply with the latest review pack and a call slot if you want one.

Request the reviewContact us