Single-tenant by default. Self-hostable when you need to keep data on your own ground. Every action — agent, human, or workflow — leaves a signed audit trail.
Every customer gets a dedicated VPC, dedicated database, dedicated compute. There is no shared multi-tenant runtime. A bug in another tenant's workflow can't reach your data because their workflow doesn't run on your servers.
Connector credentials live in AWS Secrets Manager, referenced by ARN. Workflow JSON only contains references — never values. Engineers building workflows don't see — and can't accidentally commit — production secrets.
Workflow runs are immutable. We record the workflow version, every step's inputs and outputs, who triggered it, and how long each step took. Run logs are retained for 7 years (configurable up to 10) and exportable to your SIEM via a streaming endpoint.
SSO via SAML or OIDC out of the box — Okta, Entra, Auth0, Ping, Google Workspace. SCIM provisioning syncs groups; your groups become Nexus role bindings. Service accounts get short-lived JWTs scoped to specific workflows.
The runtime envelope is small on purpose. Workflow data only ever passes through systems you've explicitly authorized.
We're transparent about which certifications are signed and which are in flight. If you need an artifact we don't have yet, talk to us — most enterprise gaps are bridged with controls evidence and a vendor questionnaire.
Both deployment models share the same engine and the same audit semantics. The differences are about where the runtime lives and who runs the underlying AWS account.
We run a private bug bounty through HackerOne. If you've discovered a vulnerability, please don't post it publicly — email security@santeon.ai with reproduction steps. We acknowledge within one business day, scope within five, and disclose with credit unless you'd rather stay anonymous.
Our PGP key is available at santeon.ai/.well-known/pgp.asc.
Procurement-ready packets are available under NDA. Most are e-signed and back the same week.