Trust & Security
We hold ourselves to the doctrine we sell
Trust must be continuous, observed, and enforced — not assumed. That sentence is SAUTERA's product thesis, and it is also how we run our own infrastructure. Here is what that means in practice.
The model
Identity Trust × Infrastructure Trust
Zero Trust governs who may access. SAUTERA governs whether the environment is fit for use. The Complete Trust Decision is the product of both — evaluated on every request, never once at the door.
[ Identity Trust · Zero Trust / NIST SP 800-207 ]×[ Infrastructure Trust · SAUTERA ITA ]=[ Complete Trust Decision ]
The framework
ITA and ITCM
The Augustine Infrastructure Trust Framework gives the platform its rigor.
ITA — Infrastructure Trust Architecture
The framework: the trust lifecycle, the scoring engines, the data path, enforcement, and governance. It defines how a raw device signal becomes an enforceable, signed trust assertion.
ITCM — Infrastructure Trust Continuous Monitoring model
The continuous-monitoring model: how the trust decision is kept current as systems, identities, and risk change — and kept honest about coverage, where insufficient data reads as Unknown rather than a confident guess.
Our posture
Four commitments, on our own infrastructure
A customer-facing SaaS control plane is internet-reachable by definition. The goal isn't an unbreakable portal — it's a bounded, provable one.
Defense in depth
Every request crosses many independent controls — edge, network, identity, tenant scope, endpoint. No single control is load-bearing.
Assume breach
We design as if an attacker is already inside one layer, then ask: what is the blast radius? The answer must be bounded — one tenant, one short-lived credential, one surface.
Blast-radius containment
Isolation tiers, least-privilege IAM, per-tenant keys, and short-lived sessions make a breach small and recoverable instead of catastrophic.
Provable trust
We don't just assert the portal is trustworthy — we measure it, continuously, with the same engine we sell.
SAUTERA on SAUTERA
The portal doesn't go live until its own trust score is Healthy.
We run our own Infrastructure Scoring Index against the infrastructure that hosts the product, and we gate go-live on it being in the Healthy band — then we watch it continuously. If we asked you to trust a score we didn't apply to ourselves, it would be marketing. Because we do, it's evidence.
The meta-proof
This website is isolated from our portal — on purpose
The page you're reading is a static build served from the edge. It shares no VPC, no security group, no database, no IAM role with the authenticated product.
What that means
- ▪ No network path from marketing into the portal — only a DNS hyperlink to app.sautera.com.
- ▪ No secrets, no customer data, and no authentication on this surface.
- ▪ It sits outside the FedRAMP / Sovereign authorization boundary, so marketing never dilutes the portal's audit scope.
Why we bother
Blast-radius containment is the doctrine we sell. The cleanest way to prove we mean it is to apply it to our own front door: a brochure site should not be a path into a regulated control plane, so ours isn't. The boundary you'd expect us to recommend is the boundary we shipped.
Want the architecture detail?
We'll walk your security team through the ITA/ITCM model, the boundary, and how the Complete Trust Decision is computed on every request.