Data Sovereignty Architecture
Client Website (Beacon)
│
├─ Behavioral signals (NO PII) ──► HiveSilo (Vercel)
│ │ │
│ ├─ Trilayer Scoring ├─ 110 ML Features
│ ├─ Bot Detection (22 signals) ├─ Ad Platform Sync
│ └─ Device Fingerprint (sdi_v2) └─ CRM Trigger API
│
└─ Form PII (name, email, phone) ──► Tenant CVM (TEE) DIRECTLY
│
┌────┴────┐
│ Intel │
│ TDX │
│ TEE │
│ │
│ Postgres │◄── PII stored here ONLY
│ Redis │
│ Portal │──► Client CRM (direct)
└─────────┘
│
HiveSilo has ZERO access
to CVM memory or database
What Data Goes Where
| Data Type | Location | HiveSilo Can Read? | Encryption |
|---|---|---|---|
| Page views, scroll, dwell, clicks | Neon DB (Vercel) | Yes — behavioral only, no PII | TLS 1.3 in transit |
| Device fingerprint (sdi_v2) | Neon DB | Yes — hardware hash, not identity | Tenant-salted SHA-256 |
| Ghost Score (0-5000) | Neon DB | Yes — anonymous score | N/A (not PII) |
| Bot detection signals | Neon DB + Redis | Yes — used for ad spend protection | N/A (not PII) |
| Name, email, phone | CVM TEE ONLY | NO — zero access | AES-256-GCM (BYOK supported) |
| Form submission content | CVM TEE ONLY | NO — zero access | AES-256-GCM |
| CRM credentials | CVM TEE ONLY | NO — zero access | Environment-injected at deploy |
Downloadable Evidence
🔒
Security Whitepaper
Complete technical architecture, encryption, TEE isolation, BYOK, key management
PDF — Request via [email protected]📋
Data Protection Impact Assessment
GDPR Art. 35 DPIA: legal basis, proportionality, technical safeguards, Apple ITP analysis
PDF — Request via [email protected]✅
Compliance Matrix
GDPR, CCPA, ePrivacy, HIPAA (inherited), SOC 2 Type I — checkbox format
PDF — Request via [email protected]🌐
Subprocessor List
All third-party services: Vercel, Neon, Upstash, TEE Cloud, RedPill, Better Stack — with regions
PDF — Request via [email protected]📝
Data Processing Agreement
Standard DPA template for GDPR compliance — ready for dual signature
PDF — Request via [email protected]🛡
Penetration Test Summary
PwC code audit (scheduled April 2026) — available upon completion
PDF — Request via [email protected]Live Verification
TEE Attestation API
Your security team can independently verify CVM integrity at any time:
curl -s https://{your-cvm-endpoint}/api/attestation | jq .Returns: TEE status, encryption key fingerprint, database health, data sovereignty proof, HMAC signature.
Independent Verification Checklist
✓ Clone repository and run 900+ tests:
pnpm test✓ Verify zero console.log:
grep -rn console.log apps/✓ Verify PII exclusion in CVM sync:
grep "NOT selected" cvm-sync/route.ts✓ Verify tenant salting:
grep tenantId compute-stable-device-id.ts✓ Verify SBOM:
pnpm audit --prod✓ Verify CVM heartbeat:
curl /api/heartbeatPrivacy Center
Every tenant CVM includes a self-service privacy portal for website visitors:
✓ Data Subject Access Request (DSAR) — view what data is collected
✓ Right to be Forgotten (RTBF) — one-click data deletion
✓ Consent management — update preferences
✓ Runs inside CVM TEE — PII displayed only within hardware vault
Security Governance
Access Control (RBAC)
| Role | Read | Write | Settings | Delete |
|---|---|---|---|---|
| Admin | ✓ | ✓ | ✓ | ✓ |
| Analyst | ✓ | ✓ | ✗ | ✗ |
| Viewer | ✓ | ✗ | ✗ | ✗ |
Encryption Standards
At Rest: AES-256-GCM (BYOK / CMK supported)
In Transit: TLS 1.3 (all endpoints)
In Processing: Intel TDX TEE hardware encryption
Key Management: Env var (default), AWS KMS, Azure Key Vault, GCP KMS
Key Rotation: Supported with zero-downtime re-encryption
Authentication
SSO: Okta, Azure AD, Google Workspace (OIDC)
SCIM: Auto-provisioning from identity providers
Passwords: Scrypt (64-byte key), SHA-256 session tokens
WebAuthn: FIDO2 passkey support for portal enrollment
Backup & Recovery
Neon DB: Automatic PITR — RPO near-zero, RTO < 5 min
CVM Postgres: pg_dump every 6h — RPO 6h, RTO ~10 min
DR Test: 10/10 pass, 164-second recovery, zero data loss verified
Vercel Apps: Git-based (stateless) — RTO ~30 sec
Audit Trail
Every action in HiveSilo is logged in an append-only audit trail. Events are never deleted.
CRM_PUSH_SUCCESS tenant=powder-peak provider=FUB latency=234ms leadId=fub_event
CREDENTIAL_VERIFIED tenant=powder-peak provider=SALESFORCE success=true
SSO_LOGIN [email protected] provider=okta
WRITE_MODE_CHANGED tenant=dunhams from=shadow to=live actor=admin-1
CRM_PULL_SUCCESS tenant=powder-peak direction=pull records=12
SHIELD_ALERT type=PRIVILEGE_ESCALATION severity=high auto_action=block
RBAC_CHANGE user=analyst-2 role=admin assigned_by=admin-1
Compliance Certifications
SOC 2 Type I
Inherited
Via TEE infrastructure partner
HIPAA
Inherited
Hardware-backed security guarantees
GDPR
Compliant
DPIA authored, consent flow, RTBF, DSAR
CCPA
Compliant
Opt-out supported, deletion on request
ePrivacy
Compliant
Consent banner, fingerprint disclosure
Intel TDX
Active
Full VM isolation, dual attestation
System Status
Questions?
For security inquiries, audit requests, or DPA execution:
[email protected]HiveSilo Inc. — Delaware C-Corporation — All rights reserved.