Skip to content
Carcosa AI logoCarcosa AI

Legal

Security

Last updated: 2026-05-01

[TODO: legal review] — the structure below is in place; the language must be reviewed and signed off by counsel before it is treated as binding.

Security Posture

Carcosa builds for the most regulated environments on earth. The Hyperion platform is designed for on-prem, edge, and air-gapped deployment, and inherits the customer's existing security controls. This page documents our public-facing posture — deployment controls are documented separately under NDA.

Compliance Roadmap

  • SOC 2 Type II — in scoping
  • FedRAMP High — planned
  • IL5 (DoD Impact Level 5) — planned
  • FIPS 140-3 cryptographic module use throughout the runtime

Data Handling

Customer data never leaves the customer's perimeter. The marketing site collects only the form data described in our Privacy Policy.

Vulnerability Disclosure

Found a security issue? Email security@carcosaai.com. Please do not publicly disclose the issue until we have had a reasonable opportunity to address it. We commit to acknowledging valid reports within five business days.

Subprocessors

For the marketing site only: Cloudflare (hosting / CDN) and Resend (transactional email). The Hyperion platform has no public subprocessors — it runs inside the customer's perimeter.