Novarch

SECURITY

How Novarch runs in your environment.

Novarch runs in two deployment shapes and writes a pinned, replayable record for every decision. The license is open with a clear commercial boundary. The posture roadmap below says what's done, what's in motion, and what's planned.

DEPLOYMENT

Two deployment shapes, one binary.

The agent SDK talks to a Novarch server over HTTP. That server is either run by us, or by you. The product surface is identical either way.

HOSTED

Run by us.

We operate a single-tenant Novarch server for you on shared infrastructure. You pick the region. We manage upgrades, monitoring, and on-call.

  • Single-tenant database per customer
  • Region-selectable (US, EU, more on request)
  • Encrypted in transit and at rest
  • Customer-scoped API keys

Where data lives: our cloud, in the region you select. The engine's model call goes to Anthropic in the same region.

SELF-HOSTED

Run by you.

Same binary deployed inside your VPC. It runs on your network, with your keys, inside your compliance perimeter, and we never see your data.

  • Container or bare-binary install
  • Your choice of model provider key
  • BYO database (Postgres or SQLite)
  • Egress to Anthropic only; no callbacks to us

Where data lives: entirely in your infrastructure. Suitable for regulated workloads that can't allow data exfiltration.

DATA FLOW

What crosses the network.

Each decision makes one outbound model call from the Novarch server. There are no telemetry callbacks, no background sync, and no vendor analytics.

YOUR AGENT

Acts

SDK captures action + reads + reasoning. Sends to Novarch server.

NOVARCH SERVER

Routes.

In your VPC or ours. Persists to database. Invokes the engine.

NOVARCH ENGINE

Decides

Applies your rules to the session. One pinned-model call to Anthropic, temperature zero. Returns verdict + cited evidence.

OPERATOR + AUDIT

Records.

Operator triage in browser. Decision record pinned and stored.

Egress endpoints (self-hosted): api.anthropic.com only.
What the engine receives: action payload, signal values, agent's captured reasoning, prior actions in the same session, active rule text. What is not sent: credentials, environment variables, model provider keys, customer PII outside the action payload itself.

LICENSE

PolyForm Shield 1.0.0.

Open core and source-available. Commercial use requires a license from Novarch. Customers can read the code, audit it, and deploy it inside their VPC. A third party can't repackage it and sell enforcement for AI agents as a competing service.

What this means in practice.

You can read every line of source, deploy it in your own infrastructure, modify it for your own use, and write your own rules and signals against it.

What you can't do without a commercial license: stand up a competing managed Novarch service and sell it.

SPDX
PolyForm-Shield-1.0.0
FULL TEXT
polyformproject.org/licenses/shield/1.0.0
COMMERCIAL TERMS
Schedule a call with the founders

POSTURE ROADMAP

What's done. What's in motion. What's planned.

We're pre-MVP and won't claim a compliance posture we haven't earned, so the table below is honest about where we are. If a row matters to your evaluation, ask us on a call. We'd rather walk you through where we actually are than overstate it here.

DONE Encryption in transit TLS 1.3 for all hosted endpoints. Customer-managed for self-hosted.
DONE Encryption at rest AES-256, cloud-provider managed keys (hosted). Customer keys (self-hosted).
DONE Model pinning & replay Every decision pins to a model SHA. Same inputs replay to the same verdict.
DONE Self-hosted in customer VPC Single binary install. Data never leaves the customer perimeter.
IN MOTION SOC 2 Type II Type I audit window opens with first paying design partner. TARGET: 2026 H2
IN MOTION GDPR / DPA-readiness DPA template under counsel review. EU-region hosting ready.
IN MOTION SSO (SAML / OIDC) Operator triage and admin console. TARGET: v0.2
PLANNED SOC 2 Type II completion Follows Type I + observation window.
PLANNED ISO 27001 Customer-driven; we'll start the work when a contracted customer needs it.
PLANNED FedRAMP Out of scope until a public-sector customer signs a contract.

AUDIT & REPLAY

What every decision pins.

The audit document is rendered from database rows, not written by an LLM. Same inputs against the same model produce the same verdict. The schema below is what your forensic toolchain consumes.

PINNED FIELDS

Per decision.

decision_id · rule_id · rule_version · model_provider · model_sha · prompt_template_version · signal_snapshot · operator_id · decided_at

RETENTION

Customer-controlled.

Hosted: 7 years default; configurable per customer. Self-hosted: your call. Both shapes support immutable export.

EXPORT

Open schema.

JSON or NDJSON over the audit API. SQL-direct read in self-hosted. Schema documented in /docs/audit-schema.

Have a specific security question?

If a row above matters for your evaluation, ask us directly. We'd rather walk you through where we are than have you guess from a marketing page.

Talk to founders