Security & Trust

Security, Privacy & Trust Center

Last updated: June 21, 2026  ·  Sentinel CPO LLC

This page consolidates Sentinel CPO's security posture, vendor assessment information, privacy impact assessment, access controls documentation, and incident response policy. It is intended for Clients, corporate sponsors, and IT/InfoSec teams conducting vendor due diligence.

1. Security Overview

Sentinel CPO is an AI-powered executive performance intelligence platform. Clients submit behavioral and physiological data; the platform generates weekly intelligence briefings. The security architecture is designed around three principles: pseudonymity by default, minimal data retention, and sub-processor isolation.

Architecture Summary

Pseudonymous Architecture

Every Client is assigned a pseudonymous identifier (format: CPO-XXXX) at enrollment. All intelligence processing — AI inference, briefing generation, quality review — is conducted against this identifier only. The Client's real name, email address, and company affiliation are compartmentalized to authentication and billing records. They are never transmitted to AI inference endpoints, never included in briefing content, and never visible to any individual or system involved in intelligence production.

Even in the event of a compromise of AI provider infrastructure, the processed data would identify only a pseudonymous CPO number — not a person. This is a structural guarantee enforced at the data model level, not a policy.

Audio & Biometric Data

Voice session audio is processed in real-time by ElevenLabs and is not retained by Sentinel CPO or ElevenLabs after session close. Sentinel CPO stores only the structured performance metadata extracted at session end — not audio, not transcripts, not voice recordings. Biometric telemetry is retrieved from Oura Health's API in aggregated daily format and stored in encrypted form. Raw sensor data is never accessed.

2. Pre-Filled Vendor Security Questionnaire

This section provides pre-filled answers to the most common vendor security questionnaire (VSQ/SIG) categories. IT and InfoSec teams may use these responses to expedite internal vendor reviews. For questions not addressed here, contact security@sentinelcpo.com.

Company & Product

Legal entity nameSentinel CPO LLC
Jurisdiction of incorporationUnited States (Connecticut)
Product categoryAI-powered executive performance intelligence platform (SaaS)
Primary data categories processedWearable biometric telemetry (aggregated daily metrics); structured behavioral session metadata; AI-generated intelligence output; authentication credentials; billing/payment data
Personal data processed?Yes — name, email, billing address (billing/auth only); biometric data (intelligence processing, pseudonymized)
Sensitive data categoriesBiometric data (health-adjacent physiological metrics via Oura Ring). Processed under Biometric Privacy Policy and applicable state law. No medical, financial, or criminal data is processed.
Data subjectsBusiness executives and senior professionals (B2B and B2C)

Data Security

Data encrypted at rest?Yes — AES-256 (Supabase managed PostgreSQL and object storage)
Data encrypted in transit?Yes — TLS 1.2 minimum on all connections. No unencrypted data paths.
Data residencyUnited States (US East primary). No data stored in the EU. Oura biometric data is subject to Oura Health Oy's data residency (EU/US — governed by Oura's own Privacy Policy).
Database access controlsRow-Level Security (RLS) enforced at PostgreSQL layer on all tables. Client data is cryptographically scoped to authenticated user ID. Cannot be bypassed by application-layer logic.
Multi-tenant or single-tenant?Multi-tenant SaaS. Client data isolation is enforced via RLS at the database layer — not application-level filtering.
Authentication methodEmail/password with server-managed session tokens. Session tokens have defined expiry. Supabase Auth manages the authentication layer.
MFA supported?Available — Clients may enable TOTP-based MFA through account settings.
API key managementAll external service API keys (AI inference, voice processing, payment, email) are stored as server-side environment variables. Never transmitted to browser environments. Keys are scoped to minimum required permissions.
Vulnerability managementDependencies monitored for known CVEs. Application code reviewed on each deployment. Security patches applied on a rolling basis.
Penetration testingPlanned — third-party penetration test scheduled. Results available to enterprise clients on request under NDA upon completion.

Data Handling & Retention

Data retention policyActive subscription: data retained for service delivery. Post-termination: all intelligence data deleted within 30 days. Anonymized billing skeleton deleted within 90 days. See Ephemeral Data Architecture for full lifecycle.
Data deletion processAutomatic deletion sequence initiated at license termination. Irreversible — no data recovery possible after deletion window. Deletion confirmation logged.
Backup & recoveryDatabase backups managed by Supabase. Point-in-time recovery available. Backups are encrypted and subject to the same retention and deletion policies as primary data.
Data portability / exportClients may export delivered briefings and onboarding assessment responses in PDF format prior to termination. Requests submitted via the Privacy/CCPA inquiry form at least 14 days before termination. Raw biometric telemetry and session metadata are not exportable as they constitute intermediate processing artifacts.
Sub-processorsAnthropic (AI inference), ElevenLabs (voice AI), Oura Health Oy (biometric hardware/API), Supabase (database), Vercel (hosting), Stripe (payments), Resend (email), Google (analytics/fonts). See Sub-Processor Disclosure for full details.
AI model training on Client data?No — Sentinel CPO's agreements with Anthropic and ElevenLabs explicitly prohibit use of Client data for model training. AI inference calls are stateless and ephemeral.

Compliance & Legal

SOC 2 certified?Not currently — Sentinel CPO is a startup-stage company. Supabase (database) and Vercel (hosting) — both SOC 2 Type II certified — form the infrastructure layer. Stripe (PCI DSS Level 1) handles all payment data. Direct Sentinel CPO SOC 2 certification is on the roadmap.
GDPR compliant?Yes — Data Processing Agreement available on request. Pseudonymous architecture limits personal data exposure. Sub-processors maintain EU-adequate transfer mechanisms. Right to erasure honored via automatic deletion sequence.
CCPA compliant?Yes — California residents may submit data requests via the privacy inquiry form. Right to know, delete, and opt-out honored.
HIPAA compliant?No — Sentinel CPO is not a HIPAA-covered entity and does not process Protected Health Information (PHI). Biometric data is physiological performance metrics, not medical records. Sentinel CPO explicitly does not diagnose, treat, or create a clinical relationship.
Biometric data lawsBiometric data is handled under Sentinel CPO's Biometric Privacy Policy, BIPA (Illinois), CUBI (Connecticut), and analogous state laws where applicable. See Biometric Privacy Policy.
Legal process / subpoena responseSentinel CPO will notify Clients of legal demands within 5 business days unless prohibited by law. Minimum necessary data produced. Overbroad requests challenged where feasible. Data deleted per retention schedule cannot be produced.
Data Processing Agreement available?Yes — See Data Processing Agreement. Available for counter-signature on request.
Security contactSubmit inquiry via contact form — select "Security / Privacy" as inquiry type.

3. Privacy Impact Assessment Summary

This section summarizes the Privacy Impact Assessment (PIA) conducted for the Sentinel CPO platform. The full internal PIA is available to enterprise clients and regulatory bodies on request.

Data Categories and Risk Assessment

Data Category Inherent Risk Mitigating Controls Residual Risk
Real identity (name, email, billing address) Medium — standard PII Compartmentalized to billing/auth only. Never passed to AI inference. Supabase RLS isolation. Stripe handles payment data independently. Low
Biometric telemetry (HRV, sleep, readiness, temperature, respiratory rate) High — health-adjacent sensitive data Pseudonymized (CPO# only in processing). AES-256 at rest. TLS in transit. RLS isolation. Ephemeral deletion on termination. No raw sensor access — aggregated daily metrics only. Low–Medium
Voice session audio High — biometric identifier, sensitive content Not stored — processed in real-time by ElevenLabs and discarded. Zero retention by design. Sentinel CPO never holds audio at any point. Negligible
Behavioral session metadata (structured check-in outputs — no raw transcripts stored) Medium — operational context, sensitive professional information Pseudonymized. Encrypted at rest. RLS isolation. No raw transcripts stored — only structured metadata fields extracted at session close. Ephemeral deletion on termination. Low
AI-generated intelligence briefings Medium — contains synthesized sensitive professional and physiological content Pseudonymized (CPO# only). RLS isolation — only the authenticated Client can access their briefings. Encrypted at rest. Exportable by Client before termination; deleted after. Low
Payment data High — financial data Handled exclusively by Stripe (PCI DSS Level 1). Sentinel CPO never touches or stores raw card data. Only Stripe customer ID and subscription metadata stored in Sentinel CPO's database. Negligible

Data Flow Summary

Biometric telemetry flows from the Oura Ring hardware → Oura Cloud API → Sentinel CPO API (authenticated retrieval) → encrypted Supabase database. Voice sessions flow from Client device → ElevenLabs real-time processing → structured metadata output → Sentinel CPO encrypted database. AI inference requests flow from Sentinel CPO server → Anthropic API (pseudonymized data only) → response → encrypted database. No data flows in the reverse direction from sub-processors to the Client's employer or any third party.

Assessment Conclusion

The combination of pseudonymous architecture, ephemeral data lifecycle, sub-processor isolation, and encryption-at-rest/in-transit controls reduce the platform's residual privacy risk to low across all data categories. The highest inherent risk category — voice audio — is eliminated entirely by a no-retention architectural decision. The second-highest inherent risk category — biometric telemetry — is mitigated to low by pseudonymization, encryption, and automatic deletion.

4. Access Controls

The following table documents which roles within and outside Sentinel CPO can access which categories of Client data.

Data Category Client (authenticated) Sentinel CPO — Performance Manager Sentinel CPO — Infrastructure Admin Client's Employer / Corporate Sponsor AI Sub-processors
Real identity (name, email) ✓ Own only — Contact info only, for service coordination — System access, not operational use ✗ Never ✗ Never
Biometric telemetry ✓ Own only — Aggregated summaries visible in client dashboard for service delivery — Infrastructure access only ✗ Never — by architecture — Anthropic receives pseudonymized summaries for inference only
Voice session audio ✗ Not stored ✗ Not stored ✗ Not stored ✗ Not stored — ElevenLabs: real-time only, not retained
Behavioral session metadata ✓ Own only — Visible for briefing review and service quality — Infrastructure access only ✗ Never — by architecture — Anthropic receives pseudonymized structured fields for inference
Intelligence briefings ✓ Own only ✓ For quality review and delivery — Infrastructure access only ✗ Never — by architecture ✗ Not passed to sub-processors
Payment data ✓ Own invoices via Stripe portal ✗ No access to card data ✗ No access to card data — Sponsor sees billing receipts and seat status only ✗ Stripe handles independently

Administrative Access Controls

Authentication & Platform Security Controls

The following technical controls are enforced at the platform layer for all accounts and requests.

Corporate Sponsor Access

Corporate sponsors — organizations that fund Sentinel CPO subscriptions for executives — have access to billing receipts, seat count, and enrollment status only. By architectural design, sponsors cannot access briefing content, biometric data, check-in data, or any intelligence output of any kind, for any sponsored executive. This is not a policy restriction — it is a structural guarantee enforced at the data model level. The sponsored executive's CPO# identifier is never shared with the sponsoring organization.

5. Incident Response Policy

This policy defines Sentinel CPO's response to security incidents that may affect Client data. It applies to confirmed or reasonably suspected unauthorized access, disclosure, alteration, or destruction of Client data.

5.1 Detection & Classification

Sentinel CPO monitors platform infrastructure and sub-processor security advisories on an ongoing basis. Security incidents are classified as follows:

5.2 Containment

Upon detection of a Severity 1 or 2 incident, Sentinel CPO will take immediate containment action, which may include: revoking compromised credentials, isolating affected infrastructure, temporarily suspending affected service endpoints, and engaging relevant sub-processors.

5.3 Notification

5.4 Remediation & Post-Incident Review

Following containment, Sentinel CPO will: identify and close the root cause of the incident, assess and document the full scope of data affected, implement controls to prevent recurrence, and conduct a post-incident review. A written incident summary will be made available to affected Clients on request following remediation.

5.5 Sub-Processor Incidents

In the event a sub-processor (Anthropic, ElevenLabs, Supabase, Vercel, Stripe, Resend) reports a security incident, Sentinel CPO will: assess the Client data impact, apply the notification thresholds above if Client data is affected, and publish an advisory on this page if the incident is of broad relevance. Sub-processor security advisories are actively monitored.

5.6 Contact for Security Reports

To report a suspected security vulnerability or incident: submit a security inquiry. Sentinel CPO commits to acknowledging security reports within 2 business days.

6. Certifications & Compliance Status

SOC 2 Type II (Sentinel CPO direct)Planned — not yet completed. Infrastructure sub-processors Supabase and Vercel hold SOC 2 Type II.
PCI DSSPayment card data handled exclusively by Stripe (PCI DSS Level 1). Sentinel CPO does not store, process, or transmit card data.
ISO 27001Not certified — on roadmap as client base scales to enterprise.
GDPRCompliant. DPA available. Pseudonymous architecture. Erasure honored.
CCPA / CPRACompliant. Privacy rights honored via contact form.
HIPAANot applicable — Sentinel CPO is not a covered entity and does not process PHI.
Biometric data laws (BIPA, CUBI, et al.)Compliant. Biometric Privacy Policy published. Consent obtained at enrollment. Deletion honored.