Procurement-ready by default
Your security, legal, and TPRM teams should find the answers they need before scheduling a call. Most of what we publish here used to require an NDA loop and a 5-day reply window.
Trust Center
Everything procurement asks for, before they have to ask.
We publish the answers up front. Your security, legal, and TPRM teams can read what they need today, on their schedule, without an NDA loop — no waiting on a security questionnaire, a sub-processor request, a contract template ask, or a CISO architecture review.
Why this exists
Buyers should not have to wait on us.
Honest about shipped vs. roadmap
We use precise language. "Architecturally deployable" is not "certified." Roadmap items name target close dates, not aspirations. SOC 2 Type II is in flight, not implied.
Sparcle does not host your data
Bolt and Aeira run inside your perimeter. In every shipping topology, customer data does not reach Sparcle infrastructure. The sub-processor list reflects that distinction.
Public artifacts
What you can read today.
No NDA, no form, no waiting.
Security and compliance posture
What is architecturally deployable today (HIPAA, SOX, ITAR, GDPR, FCA, DORA) and what is on the roadmap (SOC 2 Type II, FedRAMP Moderate, ISO 27001). Honest framing throughout.
Architecture
How Bolt's extensible, governed agentic platform and Aeira's data plane fit together — agentic and deterministic, with most queries never touching a model. Identity-bound retrieval, multi-layer security pipeline, customer-extensible Authority Policy SDK.
Security questionnaire (CAIQ, SIG, HECVAT)
Pre-filled answers to the security questions every procurement team asks. Encryption, access control, audit, sub-processors, incident response, supply chain. Saves your team a 20-hour vendor intake.
Sub-processor disclosure
GDPR Art. 28, CCPA, PIPEDA aligned. Distinguishes sub-processors of the customer (LLM provider, IdP, cloud) from sub-processors of Sparcle (GitHub, Cloudflare). 30-day change notification.
Where the model runs
How Bolt's BYO LLM architecture keeps the runtime inside your perimeter regardless of where the model itself lives. The three deployment modes (on-prem inference, in-tenant cloud LLM, public vendor API), the five-tier endpoint privacy taxonomy, and the PII-masking layer that runs before every outbound LLM call.
Controls evidence map
Maps SOC 2 Trust Services Criteria, HIPAA Security Rule, GDPR articles, and ISO 27001 Annex A controls to concrete evidence in our codebase and runbook.
Cryptographic erasure
The construction Bolt and Aeira use to satisfy GDPR Art. 17 and HIPAA Right to be Forgotten while preserving SOX, SEC, and HIPAA retention. Per-tenant CMK destruction, WORM ciphertext, tamper-evident receipt. The packet your DPO or external auditor receives.
Verify our claims yourself
The standalone audit-chain verifier. A statically-linked Rust binary your auditor runs offline against an exported Bolt chain — no network calls, no Sparcle dependencies. Sample chain + operator-root public key available pre-NDA so your security team can run end-to-end before installing anything.
Vulnerability disclosure
How to report a security issue, our 1-business-day acknowledgement target, 90-day coordinated disclosure window, and good-faith safe harbor.
Incident response
Our five-phase response framework, severity classification, customer notification SLAs (HIPAA 60-day, GDPR 72-hour), and contractual escalation paths.
Available under NDA
Where the deeper material lives.
A short list of artifacts we share during pilot evaluation under a mutual NDA. The public artifacts above are designed to answer almost every procurement question without these; the NDA materials are for the security and legal teams that want to go a layer deeper.
- Architecture brief. component diagrams, runtime topology, pipeline layer detail
- Threat model. STRIDE-by-component, mitigations mapped to controls
- Penetration test summary. latest external assessment findings and remediation status
- DPA, MSA, BAA, SLA templates. customer-counsel-ready starting points, v0.2 pending counsel review
- SOC 2 readiness package. current control posture and gap analysis ahead of formal audit
- Patent claim summaries. what the USPTO filings cover and how they map to the runtime
- Reference customer conversations. design partners willing to take a call
Contracts
Customer counsel can read our templates before we talk.
DPA, MSA, BAA, and SLA templates are available under NDA during pilot evaluation, and will be moved to this page after counsel review. They are starting points designed to be negotiated, not take-it-or-leave-it riders.
DPA
Data Processing Addendum. GDPR Art. 28 aligned. SCCs and UK IDTA addendum included.
Under NDA today. Public v0.2 pending counsel review.
MSA
Master Services Agreement. Software license, support, IP, warranty, liability, term.
Under NDA today. Public v0.2 pending counsel review.
BAA
Business Associate Agreement. HIPAA-aligned for customers handling PHI.
Under NDA today. Public v0.2 pending counsel review.
SLA and Support
Uptime and response targets that match the deployment topology you operate.
Under NDA today. Public v0.2 pending counsel review.
Talk to us.
If your team has read what's here and wants to go further, schedule a security or architecture review. Most pilots start with a 30-minute call and a mutual NDA.