Pre-answered for your vendor security review.

SanctumShield is a stateless serverless application on Vercel. The form data you type into the dashboard (company profile, selected AI tools, pasted log hostnames) is sent to a Vercel edge function, used to generate your Executive Risk Report and AI Acceptable Use Policy, returned to your browser, and discarded.

We do not operate a customer database today. No long-term storage of your profile, your log data, or your generated documents. Your Stripe customer record exists inside Stripe (never in our systems) and contains email + billing info only.

Access to the operational environment (Vercel dashboard, Stripe dashboard, Resend dashboard, Google Cloud Console) is held by one person — the founder — and protected by hardware-key 2FA. No contractors, no offshore dev team, no support staff.

In transit: yes, always. TLS 1.3 end-to-end between your browser and our API routes (Vercel edge + Let's Encrypt SSL + Cloudflare Universal SSL). The Stripe checkout page is served from Stripe's PCI-DSS Level 1 environment.

At rest: minimal and metadata-only. Customer inputs (your assessment answers, selected AI tools, pasted log hostnames) are not persisted to disk. The one exception is report verification metadata: when an audit or AUP is generated we store a small record containing the report’s identifier, generation date, AI model version, and (if you provided it) your company name — stored in Vercel KV, retained for five years. This is what enables your cyber insurance underwriter or external auditor to confirm that any downloaded report bearing a SanctumShield verification URL is genuine. Report contents, log data, and assessment inputs are never persisted.

We do not train any AI model on your data. SanctumShield does not fine-tune, does not operate a model training pipeline, and does not sell or share your inputs with third parties.

The actual inference runs on Google Gemini 3 via the paid@ai-sdk/google provider, which is billed through the Google AI Studio API on standard commercial terms. Per Google's Gemini API Additional Terms of Service, paid-tier API calls are not used to improve Google's products or train Google models. We pay the paid tier specifically so your inputs stay out of Google's training corpus.

If this matters to your legal team, request a copy of the Google Cloud DPA and SOC 2 report directly from your Google Cloud account team — Google publishes both.

Every vendor in our stack is a sub-processor. The complete list:

• Vercel — application hosting and edge compute (SOC 2 Type II, ISO 27001)
• Google AI Studio / Google Cloud — Gemini 3 inference (SOC 1/2/3, ISO 27001, HIPAA BAA available)
• Stripe — payment processing and subscription billing (PCI-DSS Level 1, SOC 1/2)
• Resend — transactional email for the contact form (SOC 2)
• Cloudflare — DNS, SSL, DDoS protection (SOC 2, ISO 27001)
• Upstash — Redis-backed key-value store (provisioned through Vercel KV) for report verification metadata only. Stores no report contents, no inputs, no PII. SOC 2 Type II.
• GoDaddy — domain registrar only (no data access)

We don't use Segment, Mixpanel, FullStory, HubSpot, or any other third-party analytics / session-replay / CRM product. No marketing pixels. No ad retargeting.

The founder is on-call 24/7. There is no separate security team to page — incidents route directly to the inbox of the founder, Lindsay Hiebert, whose deep domain expertise spans AI, cybersecurity, and operational security across fifteen years at Cisco and Intel Enterprise AI. Actively monitored. No ticket queue, no SDR, no triage layer.

To report a security concern or an incident, use the contact form below — your message is delivered to the founder’s inbox within seconds, with a four-hour acknowledgment commitment during business hours.

Response commitment:

• Acknowledgment to affected customers within 4 hours of detection
• Preliminary written disclosure within 24 hours including scope, impacted data category, and containment status
• Post-incident review and root-cause writeup within 7 days
• Regulatory notification (HIPAA, GDPR, state breach laws) within the statutorily required windows when applicable

Because SanctumShield does not retain customer data at rest, the realistic incident surface is limited to (a) a compromise of the Vercel deployment or (b) a compromise of the Google Gemini inference layer. Both are covered by the respective vendors' own SOC 2-audited incident response programs.

A common enterprise-review red flag for solo-founder SaaS is the bus-factor question. SanctumShield’s honest answer:

• Operating entity continuity. SanctumShield is operated by PIGENAI LLC, a Missouri limited liability company with a documented operating agreement that includes a designated successor and a credential-escrow procedure.
• Infrastructure under company accounts. Production infrastructure (Vercel, Cloudflare, Stripe, Resend, Upstash, Google Cloud / Gemini API, GoDaddy) is provisioned under PIGENAI accounts, not personal accounts. Recovery options are configured for each provider that supports them.
• Customer artifact portability. Every generated deliverable (Executive Risk Report, AUP, Board Memo) is downloadable as Word, Markdown, plain text, and HTML at the moment of generation. Customers retain full copies regardless of service availability — there is no customer data trapped in SanctumShield infrastructure because, by design, SanctumShield does not retain customer data at rest.
• Verification URL longevity. Verification records are stored in Vercel KV (Upstash) under PIGENAI’s own organization account with a 5-year TTL — independent of any single individual’s availability.
• Named backup escalation contact. A named CISSP-credentialed backup escalation contact and the full succession plan are available to enterprise reviewers under NDA. Request via the contact form.

Founder-direct support is positioned as a feature (small-team accountability, no SDR layer, four-hour ack commitment) rather than a single point of failure. The continuity plan above closes the residual bus-factor risk for enterprise reviewers who need to document it.

Lindsay Hiebert holds the CISSP credential from (ISC)², certificate number #539218, valid August 1, 2024 through July 31, 2027. The certification is independently verifiable via the badge issued by Credly:

• Verify the CISSP badge on Credly
• About the CISSP certification at (ISC)² — 5+ years of work experience required across at least 2 of 8 domains. Accredited under ANAB / ISO/IEC 17024 and approved under U.S. DoDM 8140.03.
• Full bio and CISSP cert image at /about/lindsay-hiebert

The CISSP is held by fewer than 3 in 10,000 individuals in the United States and is the recognized professional standard for information-security leadership. We surface the cert number and third-party verification URL specifically because the only way to make a credential meaningful is to make it independently checkable.

SanctumShield runs on Vercel's global edge network, which has a documented 99.99% uptime SLA at the platform level. Gemini 3 has a separate SLA with Google Cloud.

At $99/month we do not offer a contractual uptime SLA with credits — that's an honest tradeoff of the price point. What we commit to:

• Incident acknowledgment within 4 hours (see above)
• Month-to-month cancellation with no fee — if you can't use the product in any given month, cancel and rejoin later
• All generated deliverables (Word, Markdown, HTML, text) are yours to keep forever, even if the service is unavailable or you cancel

Enterprise-style SLAs with credits are available on request for multi-seat annual agreements — open a contact request via the form at the bottom of this page.

Subscription terms (effective at every checkout, every cancellation, and every renewal):

• SanctumShield is $99/month, month-to-month. Stripe charges your payment method immediately when you subscribe — there is no free trial of the paid product. (The free Shadow AI Risk Calculator at sanctumshield.com/calculator — 12 questions, instant departmental risk score, no account, no email, no credit card — is permanently free and unrelated to the paid subscription. The regulation-anchored artifacts described below — Executive Risk Report, AI Acceptable Use Policy, Board Memo with verification URLs — require the paid subscription.)
• Cancel anytime through the in-app Manage Subscription button (which opens your Stripe-hosted Customer Portal) or directly in Stripe. The Customer Portal cancellation displays the exact date your access ends (e.g., “Cancels Jun 7”).
• Cancellation stops future billing immediately. You retain access through the end of your current paid billing period — typically up to 30 days from your last charge.
• The current billing period is non-refundable. You paid for a full month of access; you receive a full month of access. This applies whether you cancel on day 1 or day 30 of the billing cycle.
• You keep all artifacts forever. Every Executive Risk Report, AI Acceptable Use Policy, Board Memo, and download (Word, Markdown, HTML, plain text) you generated during your paid period is yours to keep, archive, share with counsel, attach to your audit packet, or hand to your cyber insurance broker. SanctumShield does not store the rendered artifacts server-side; they live with you.
• Why this policy exists: the value SanctumShield delivers is the regulation-anchored artifact — and you receive that artifact within 10 minutes of subscribing, before the first day of your billing cycle is complete. Refunding the current period after delivery would create the “subscribe, generate, refund-and-walk” arbitrage that breaks every honest mid-market SaaS. Our artifacts are portable enough that the keep-forever guarantee above is the substantive customer protection.
• Edge cases handled by founder discretion. If you experience a legitimate billing error — duplicate charge, inability to access the dashboard for technical reasons, wrong-email checkout, or any case where the no-refund-for-current-period default produces an unjust outcome — open a billing-issue request via the form below. The founder reviews these directly and resolves case-by-case; most legitimate billing errors are refunded within one business day. The no-refund default protects honest customers from gaming-driven cost increases; the founder-discretion path protects honest customers from edge cases the default doesn’t anticipate.

This policy is also disclosed at the bottom of every page on the site (footer), on the home pricing card, in the welcome email sent immediately after subscription, and is visible inside the Stripe Customer Portal at all times.

Cyber liability insurance: in progress. At current scale (pre-revenue launch, solo founder, stateless architecture, no PHI/PII retention), our broker is placing a $1M cyber + E&O policy through Coalition / At-Bay. This will be in force before the first enterprise signature.

Contracts: we will sign reasonable MSAs and DPAs for mid-market buyers. We will push back on: unlimited liability, ISO 27001 certification as a gate, on-premise deployment requirements, requirements to store data in a specific customer-controlled region, and source-code escrow clauses.

For healthcare customers: a HIPAA BAA is signable on request, with the caveat that because we do not retain ePHI, our Business Associate exposure is functionally limited.

Fair question. Every answer on this page applies to SanctumShield itself:

• AI inventory — the two models we use (Gemini 3 Pro for policy, Gemini 3 Flash for audit) are listed in the "sub-processors" section above. We don't run any other LLM in production.
• Paid tier only — we pay the Google paid tier specifically so prompts aren't used for training. Non-negotiable.
• Prompt review — the prompts we use to generate your AUP and Risk Report are reviewed against the internal policy-governance spec in docs/SanctumShield_Policy_Governance.md and anchored to real regulatory citations. No hallucinated regulations. Every clause citation is a real clause your counsel can verify.
• Output auditability — your generated documents are deterministic for a given input + prompt + model version. We log model version inside the generation pipeline (though not displayed on your deliverable by default per customer request).
• Our own AUP — the first policy we generated with SanctumShield was SanctumShield's own internal AI Acceptable Use Policy. It's on file. Happy to share it on request.