Security is the operating-cost floor,
not a feature checklist
Three deployment shapes (managed cloud / customer VPC / air-gapped on-prem). BYOK encryption. Hash-chain audit trail. 8-framework regulatory mapping. Built for engineering-led mid-market IT teams that need to defend the AI estate at board, audit, and procurement review.
Audit-evidence emission is the operating-cost floor: if a workflow can't be instrumented for audit evidence, we won't take it on. Non-negotiable across phases.
The framework underneath
10-Layer Governance — the same framework we use internally and with every customer
The security capabilities below aren't ad-hoc features. They sit inside a 10-layer governance framework — Identity & Access, Audit Trail, Data Governance, Human Oversight, Model Governance, Tool Governance, Compliance, Cost Controls, Observability, and Incident Response — that JieGou uses to operate AI for paying customers and to assess every customer engagement. Same framework on both sides of the table.
Cyber underwriting readiness
Your cyber underwriter is starting to ask about AI.
Industry analysts and broker commentary now identify AI governance maturity as a stated underwriting factor in mid-market cyber renewals. Aon (2026): "Underwriting reviews are now sharply focused on control maturity, vendor dependencies, AI use, and privacy practices." Lockton (Dec 2025): "Underwriters are scrutinizing board and senior management oversight of AI governance."
We've published a free operator-grade brief mapping the 10-Layer framework to the six AI question categories appearing in 2026 mid-market submissions. Anchored on Marsh / Aon / Lockton / NYDFS citations. No vendor-specific premium-discount claims — operator-honest about what documented governance does and doesn't deliver.
SOC 2 Audit Status
SOC 2 Type II audit preparation in progress with Advantage Partners via Vanta. Continuous compliance monitoring active. Operator-honest about being mid-readiness rather than mid-renewal — early-stage lighthouse-era engagements include a documented SOC 2 timeline in the Phase 1 SOW.
Scheduling with certified vendor.
Readiness phase with Advantage Partners.
3–12 month period — starts after readiness confirmed.
Infrastructure Security
Three deployment shapes; same security posture in each
JieGou supports three deployment shapes (managed cloud, customer VPC, air-gapped on-prem) so the deployment fits your governance posture rather than the other way around. All shapes encrypt in transit with TLS 1.3 and at rest with AES-256-GCM. Penetration testing is conducted by certified vendors; results shared with customers under NDA.
- Managed cloud (AWS multi-region) · customer VPC · air-gapped on-prem
- TLS 1.3 for all traffic; AES-256-GCM at rest
- Network isolation via private subnets, security groups, mTLS between services
- Certified-vendor penetration testing; results shared with customers under NDA
Application Security
24,000+ tests. 99.18% coverage. Every night.
Our test suite runs over 24,000 automated tests with a 99.18% code coverage threshold. Nightly adversarial regression testing catches prompt-injection + data-exfiltration regressions before they reach production. Dependency vulnerability scanning runs on every commit and PR. Architecture documented at /reference-architecture (7-component decomposition, 10 named failure modes).
- 24,000+ automated tests; 99.18% code coverage threshold
- Nightly adversarial regression (prompt injection, data exfiltration, jailbreak)
- Dependency vulnerability scanning on every commit and PR
- Architecture published — see /reference-architecture for component-level detail
Data Security
Your keys, your data, your audit trail
Bring Your Own Key (BYOK) encryption keeps your LLM provider keys encrypted with AES-256-GCM using your own KMS / Secrets Manager. Data residency configurable per workflow (US / EU / APAC / private region). Automatic PII / PHI detection routes regulated fields through DLP before they reach any LLM. Audit trail is hash-chain-signed (HMAC) for SOX / FDA / EU AI Act evidentiary contexts; export to your SIEM (Splunk / Sentinel / syslog).
- BYOK with AES-256-GCM; provider keys in your KMS / Secrets Manager
- Per-workflow data residency (US / EU / APAC / private region)
- Automatic PII / PHI detection routes regulated fields through DLP
- Hash-chain-signed audit trail (HMAC) with SIEM export
Compliance + Regulatory Mapping
Eight frameworks. One operating substrate.
Compliance posture is configured per-engagement under our 10-Layer Governance framework (published at /10-layer-assessment), not via single-toggle SaaS presets. The substrate maps onto SOC 2 Common Criteria (CC6 + CC7), HIPAA (BAA-eligible), SOX (hash-chain audit trail), GDPR (right-to-erasure + data-residency), EU AI Act (risk-tier + conformity-assessment), NIST AI RMF (govern + map + measure + manage), and ISO/IEC 42001 (AI Management System). FedRAMP-ready configuration available for government customers under the Reference Architecture air-gapped deployment.
- SOC 2 Common Criteria (CC6 Logical & Physical Access + CC7 System Operations)
- HIPAA-aligned workflows (BAA-eligible) + SOX hash-chain audit-trail integrity
- GDPR (right-to-erasure, data-residency) + EU AI Act risk-tier mapping
- NIST AI RMF + ISO/IEC 42001 + FedRAMP-ready air-gapped deployment
Vulnerability Disclosure
Responsible disclosure. Operator-transparent communication.
Security researchers can report vulnerabilities to security@jiegou.ai. We acknowledge within 48 hours, issue CVEs for confirmed vulnerabilities, and publish quarterly security reviews including any incidents + remediation timelines. Bug bounty available — see the responsible disclosure policy for scope + rewards.
- security@jiegou.ai for vulnerability reports
- 48-hour acknowledgment SLA
- CVE issuance for confirmed vulnerabilities; quarterly security review published
- Responsible disclosure policy + bug bounty scope →
Industry Alert
Why self-hosted doesn't mean secure
The open-source automation platform n8n disclosed 21+ security vulnerabilities in February 2026 — including 7 critical (CVSS 9.4–10.0) and 4 independent remote code execution vectors. Most critically, CVE-2026-25049 bypasses a December 2025 sandbox fix within 3 months — proving the issues are architectural, not patchable. National cybersecurity agencies — Singapore CSA and Canadian CCCS — have issued formal advisories. Censys identified 26,512 exposed n8n instances on the public internet.
JieGou's substrate posture vs unmaintained self-hosted
Self-hosted unmaintained risks
- 3 independent RCE vectors (expression, SQL, task runner)
- Government advisories (Singapore CSA, Canadian CCCS)
- SSO bypass, SQL injection, webhook forgery
- No SOC 2 audit, basic RBAC, no audit-trail integrity
JieGou operating substrate
- Three deployment shapes (managed cloud / VPC / air-gapped on-prem)
- SOC 2 Type II preparation via Vanta; 17 compliance policies approved
- 6 roles, 20 granular permissions, SAML/OIDC, per-agent identity
- Hash-chain audit-trail integrity; GDPR data export/deletion; SIEM export
Data as of February 2026
Run the 10-Layer Assessment. Or schedule the discovery call.
10-Layer Assessment is the framework we use internally and with every customer — free to run, no sales-call condition. Discovery call is 30 min, no deck, no demo. Either path; honest either way.