Don't trust us. Verify us.
How we protect your data, prove the integrity of every governance decision, and let you check that proof yourself — without asking us, and without trusting our infrastructure.
What we prove — and how you check it yourself
Every critical governance decision is hashed, batched into a Merkle tree, and anchored on a public blockchain. You can re-derive the proof independently.
1 · Hash
Each governance decision is hashed (SHA-256) the moment it is recorded. The hash covers the decision and its context — change one byte and the hash no longer matches.
2 · Merkle batch
Hashes are combined into a Merkle tree. A single compact root commits to thousands of decisions at once, and any one decision can be proven to belong to that root.
3 · On-chain anchor
The Merkle root is written to the Flare blockchain. Neither we nor anyone else can alter it afterwards — the anchor is public and permanent.
Why blockchain?
Write-once storage (WORM) proves to the operator that records were not tampered with. Blockchain attestation goes one step further: it makes proofs third-party-verifiable, so an auditor or regulator can confirm a decision without trusting us — or our infrastructure.
It is "and", not "or": WORM as a pluggable attestation anchor, for customers whose policies require it, is on the roadmap. Planned
You don't have to route your traffic through us
Three ways to bring governance to your AI — chosen per system. Only one of them sits in your request path.
Gateway enforcement
Real-time: traffic passes through the gateway, policies are enforced inline, and every call is logged. Use it where you want blocking, not just observation.
Governance control plane
Platform-native agents (Salesforce, Copilot, ServiceNow) that cannot be proxied send events to Palveron without rerouting their traffic. Governance and evidence, without sitting in the path.
Browser Guard
Server-sideGoverns AI usage in the browser with no proxy in front of it. PII masking runs server-side — we say so plainly; if you need processing inside your own perimeter, self-host the gateway.
The platform that transports your traffic and runs your agents cannot, at the same time, independently attest to what they did.
That is why Palveron sits alongside your network and CDN, not instead of them. Keep Cloudflare in front — Palveron adds the independent, third-party-verifiable record of what your AI actually did. Complementary, not competing.
How your data is protected
Encryption at every layer, an audit trail that cannot be rewritten, and strict tenant isolation.
Immutable audit trail
Audit records are append-only, enforced by database triggers — no update, no delete. Who did what is enforced by a database foreign key: every audit row resolves to a real, canonical user identity.
Tenant isolation
Multi-tenancy is enforced at the database level via Organization and Project binding. Every query is scoped to the authenticated project; no cross-tenant access is possible.
Role-based access
A five-role model (Platform Admin, Owner, Admin, Editor, Viewer). Dashboard-only surfaces reject machine keys; data endpoints accept scoped API keys.
Browser Guard data flow
Server-sideThe Browser Guard sends captured activity to the gateway, where PII detection and masking run server-side before anything is stored. We never claim on-device masking — if that is a requirement, self-host the gateway so the flow stays inside your perimeter.
Compliance readiness
Readiness tracking, controls mapping, and evidence export across the frameworks below.
Not yet certified — and we will say so
PlannedPalveron maps to these frameworks and produces audit evidence, but we are not currently SOC 2 or ISO 27001 certified. Those certifications are planned. We would rather tell you that than imply a badge we have not earned.
Read the compliance documentationWhere your data lives
Customer data is stored in the EU (Hetzner, Germany). Below is every sub-processor that touches it.
Payment data is processed by Stripe only after you actively start a checkout, on Stripe's hosted page — no Stripe scripts run on palveron.com. Cloudflare acts as a TLS-terminating proxy in front of the platform. Provider names link to each sub-processor's DPA where a public one exists.
Deployment options
Run Palveron the way your risk model demands.
SaaS (EU)
Fully managed in the EU. Contractual uptime targets of 99.5% (Business) and 99.9% (Enterprise).
Self-hosted
Guided setupDocker, Helm, and Kubernetes manifests ship today. Fresh installs are currently a guided setup for design partners — we will not pretend it is a one-command install yet.
Air-gapped & BYOK
PlannedFully air-gapped deployment and bring-your-own-key encryption are on the roadmap. Talk to us if this gates a contract.
Responsible disclosure
Found a security issue? Report it to us privately. We acknowledge every report within two business days and keep you posted as we investigate. Please do not disclose publicly until we have had a chance to fix it.
[email protected]