AI-native identity security. Built to scale, priced to match.

Tenants are isolated by decryption boundaries; internet-facing API services cannot decrypt customer data. Applies to every customer.

Hosted in AWS US-West-2 + US-East-2 with cross-region replication and continuous DynamoDB backups. Applies to every customer.

Engineers do not have remote access to production. EKS Managed Node Groups eliminate workstation paths to prod. Applies to every customer.

EU-region hosting for customers with data residency requirements. Talk to an architect to be on the early-access list.

FedRAMP Moderate authorization in the US Federal hosting environment, for public-sector and regulated commercial workloads. Talk to an architect to be on the early-access list.

All customer traffic over TLS 1.2 or greater; internal service-to-service traffic uses mutual TLS. Applies to every customer.

Objects encrypted at rest in AWS DynamoDB. API keys and secrets are double-encrypted with AWS KMS symmetric keys before storage. Applies to every customer.

Every connector defines minimum scopes. Customers control connector tokens; rotate or revoke from your IdP at any time. Applies to every customer.

Customer data is never used to train foundation models. AI features run on customer-scoped context with documented retention. Applies to every customer.

Bring your own KMS keys; rotate, revoke, and audit independently.

Federated authentication via your IdP. Included on every plan with no SSO tax.

Native pull from Active Directory, Okta, Entra ID, HRIS systems, and SCIM endpoints. Lifecycle events from any source, normalized.

Enforce MFA at the IdP for federated users; native MFA for non-federated admins. Available on every plan.

Export to S3 in OCSF format, plus other common SIEM providers. Available on every plan.

Restrict admin access to allowlisted IP ranges. Available on every plan.

Dedicated customer success manager. Strategic CSM on Mission Critical.

30-minute response on Enterprise · 15-minute on Mission Critical.

Financial credits for missed SLAs on Enterprise and Mission Critical.

Public security contact, responsible disclosure policy, and an internal triage cadence. Applies to every customer.

Documented disaster-recovery runs and third-party penetration tests on a yearly cadence. Applies to every customer.

Private Offers for 1+ year committed-spend agreements on Business and Enterprise. Lets you draw down AWS committed spend (EDP) against your C1 contract.

Procurement-friendly invoicing on annual and multi-year contracts.

Standard process; we work directly with your legal and procurement teams.

Custom C1 Token weights for non-standard workloads, volume floors, or bundled outcomes.