This page consolidates Sentinel CPO's security posture, vendor assessment information, privacy impact assessment, access controls documentation, and incident response policy. It is intended for Clients, corporate sponsors, and IT/InfoSec teams conducting vendor due diligence.
Sentinel CPO is an AI-powered executive performance intelligence platform. Clients submit behavioral and physiological data; the platform generates weekly intelligence briefings. The security architecture is designed around three principles: pseudonymity by default, minimal data retention, and sub-processor isolation.
Every Client is assigned a pseudonymous identifier (format: CPO-XXXX) at enrollment. All intelligence processing — AI inference, briefing generation, quality review — is conducted against this identifier only. The Client's real name, email address, and company affiliation are compartmentalized to authentication and billing records. They are never transmitted to AI inference endpoints, never included in briefing content, and never visible to any individual or system involved in intelligence production.
Even in the event of a compromise of AI provider infrastructure, the processed data would identify only a pseudonymous CPO number — not a person. This is a structural guarantee enforced at the data model level, not a policy.
Voice session audio is processed in real-time by ElevenLabs and is not retained by Sentinel CPO or ElevenLabs after session close. Sentinel CPO stores only the structured performance metadata extracted at session end — not audio, not transcripts, not voice recordings. Biometric telemetry is retrieved from Oura Health's API in aggregated daily format and stored in encrypted form. Raw sensor data is never accessed.
This section provides pre-filled answers to the most common vendor security questionnaire (VSQ/SIG) categories. IT and InfoSec teams may use these responses to expedite internal vendor reviews. For questions not addressed here, contact security@sentinelcpo.com.
| Legal entity name | Sentinel CPO LLC |
|---|---|
| Jurisdiction of incorporation | United States (Connecticut) |
| Product category | AI-powered executive performance intelligence platform (SaaS) |
| Primary data categories processed | Wearable biometric telemetry (aggregated daily metrics); structured behavioral session metadata; AI-generated intelligence output; authentication credentials; billing/payment data |
| Personal data processed? | Yes — name, email, billing address (billing/auth only); biometric data (intelligence processing, pseudonymized) |
| Sensitive data categories | Biometric data (health-adjacent physiological metrics via Oura Ring). Processed under Biometric Privacy Policy and applicable state law. No medical, financial, or criminal data is processed. |
| Data subjects | Business executives and senior professionals (B2B and B2C) |
| Data encrypted at rest? | Yes — AES-256 (Supabase managed PostgreSQL and object storage) |
|---|---|
| Data encrypted in transit? | Yes — TLS 1.2 minimum on all connections. No unencrypted data paths. |
| Data residency | United States (US East primary). No data stored in the EU. Oura biometric data is subject to Oura Health Oy's data residency (EU/US — governed by Oura's own Privacy Policy). |
| Database access controls | Row-Level Security (RLS) enforced at PostgreSQL layer on all tables. Client data is cryptographically scoped to authenticated user ID. Cannot be bypassed by application-layer logic. |
| Multi-tenant or single-tenant? | Multi-tenant SaaS. Client data isolation is enforced via RLS at the database layer — not application-level filtering. |
| Authentication method | Email/password with server-managed session tokens. Session tokens have defined expiry. Supabase Auth manages the authentication layer. |
| MFA supported? | Available — Clients may enable TOTP-based MFA through account settings. |
| API key management | All external service API keys (AI inference, voice processing, payment, email) are stored as server-side environment variables. Never transmitted to browser environments. Keys are scoped to minimum required permissions. |
| Vulnerability management | Dependencies monitored for known CVEs. Application code reviewed on each deployment. Security patches applied on a rolling basis. |
| Penetration testing | Planned — third-party penetration test scheduled. Results available to enterprise clients on request under NDA upon completion. |
| Data retention policy | Active subscription: data retained for service delivery. Post-termination: all intelligence data deleted within 30 days. Anonymized billing skeleton deleted within 90 days. See Ephemeral Data Architecture for full lifecycle. |
|---|---|
| Data deletion process | Automatic deletion sequence initiated at license termination. Irreversible — no data recovery possible after deletion window. Deletion confirmation logged. |
| Backup & recovery | Database backups managed by Supabase. Point-in-time recovery available. Backups are encrypted and subject to the same retention and deletion policies as primary data. |
| Data portability / export | Clients may export delivered briefings and onboarding assessment responses in PDF format prior to termination. Requests submitted via the Privacy/CCPA inquiry form at least 14 days before termination. Raw biometric telemetry and session metadata are not exportable as they constitute intermediate processing artifacts. |
| Sub-processors | Anthropic (AI inference), ElevenLabs (voice AI), Oura Health Oy (biometric hardware/API), Supabase (database), Vercel (hosting), Stripe (payments), Resend (email), Google (analytics/fonts). See Sub-Processor Disclosure for full details. |
| AI model training on Client data? | No — Sentinel CPO's agreements with Anthropic and ElevenLabs explicitly prohibit use of Client data for model training. AI inference calls are stateless and ephemeral. |
| SOC 2 certified? | Not currently — Sentinel CPO is a startup-stage company. Supabase (database) and Vercel (hosting) — both SOC 2 Type II certified — form the infrastructure layer. Stripe (PCI DSS Level 1) handles all payment data. Direct Sentinel CPO SOC 2 certification is on the roadmap. |
|---|---|
| GDPR compliant? | Yes — Data Processing Agreement available on request. Pseudonymous architecture limits personal data exposure. Sub-processors maintain EU-adequate transfer mechanisms. Right to erasure honored via automatic deletion sequence. |
| CCPA compliant? | Yes — California residents may submit data requests via the privacy inquiry form. Right to know, delete, and opt-out honored. |
| HIPAA compliant? | No — Sentinel CPO is not a HIPAA-covered entity and does not process Protected Health Information (PHI). Biometric data is physiological performance metrics, not medical records. Sentinel CPO explicitly does not diagnose, treat, or create a clinical relationship. |
| Biometric data laws | Biometric data is handled under Sentinel CPO's Biometric Privacy Policy, BIPA (Illinois), CUBI (Connecticut), and analogous state laws where applicable. See Biometric Privacy Policy. |
| Legal process / subpoena response | Sentinel CPO will notify Clients of legal demands within 5 business days unless prohibited by law. Minimum necessary data produced. Overbroad requests challenged where feasible. Data deleted per retention schedule cannot be produced. |
| Data Processing Agreement available? | Yes — See Data Processing Agreement. Available for counter-signature on request. |
| Security contact | Submit inquiry via contact form — select "Security / Privacy" as inquiry type. |
This section summarizes the Privacy Impact Assessment (PIA) conducted for the Sentinel CPO platform. The full internal PIA is available to enterprise clients and regulatory bodies on request.
| Data Category | Inherent Risk | Mitigating Controls | Residual Risk |
|---|---|---|---|
| Real identity (name, email, billing address) | Medium — standard PII | Compartmentalized to billing/auth only. Never passed to AI inference. Supabase RLS isolation. Stripe handles payment data independently. | Low |
| Biometric telemetry (HRV, sleep, readiness, temperature, respiratory rate) | High — health-adjacent sensitive data | Pseudonymized (CPO# only in processing). AES-256 at rest. TLS in transit. RLS isolation. Ephemeral deletion on termination. No raw sensor access — aggregated daily metrics only. | Low–Medium |
| Voice session audio | High — biometric identifier, sensitive content | Not stored — processed in real-time by ElevenLabs and discarded. Zero retention by design. Sentinel CPO never holds audio at any point. | Negligible |
| Behavioral session metadata (structured check-in outputs — no raw transcripts stored) | Medium — operational context, sensitive professional information | Pseudonymized. Encrypted at rest. RLS isolation. No raw transcripts stored — only structured metadata fields extracted at session close. Ephemeral deletion on termination. | Low |
| AI-generated intelligence briefings | Medium — contains synthesized sensitive professional and physiological content | Pseudonymized (CPO# only). RLS isolation — only the authenticated Client can access their briefings. Encrypted at rest. Exportable by Client before termination; deleted after. | Low |
| Payment data | High — financial data | Handled exclusively by Stripe (PCI DSS Level 1). Sentinel CPO never touches or stores raw card data. Only Stripe customer ID and subscription metadata stored in Sentinel CPO's database. | Negligible |
Biometric telemetry flows from the Oura Ring hardware → Oura Cloud API → Sentinel CPO API (authenticated retrieval) → encrypted Supabase database. Voice sessions flow from Client device → ElevenLabs real-time processing → structured metadata output → Sentinel CPO encrypted database. AI inference requests flow from Sentinel CPO server → Anthropic API (pseudonymized data only) → response → encrypted database. No data flows in the reverse direction from sub-processors to the Client's employer or any third party.
The combination of pseudonymous architecture, ephemeral data lifecycle, sub-processor isolation, and encryption-at-rest/in-transit controls reduce the platform's residual privacy risk to low across all data categories. The highest inherent risk category — voice audio — is eliminated entirely by a no-retention architectural decision. The second-highest inherent risk category — biometric telemetry — is mitigated to low by pseudonymization, encryption, and automatic deletion.
The following table documents which roles within and outside Sentinel CPO can access which categories of Client data.
| Data Category | Client (authenticated) | Sentinel CPO — Performance Manager | Sentinel CPO — Infrastructure Admin | Client's Employer / Corporate Sponsor | AI Sub-processors |
|---|---|---|---|---|---|
| Real identity (name, email) | ✓ Own only | — Contact info only, for service coordination | — System access, not operational use | ✗ Never | ✗ Never |
| Biometric telemetry | ✓ Own only | — Aggregated summaries visible in client dashboard for service delivery | — Infrastructure access only | ✗ Never — by architecture | — Anthropic receives pseudonymized summaries for inference only |
| Voice session audio | ✗ Not stored | ✗ Not stored | ✗ Not stored | ✗ Not stored | — ElevenLabs: real-time only, not retained |
| Behavioral session metadata | ✓ Own only | — Visible for briefing review and service quality | — Infrastructure access only | ✗ Never — by architecture | — Anthropic receives pseudonymized structured fields for inference |
| Intelligence briefings | ✓ Own only | ✓ For quality review and delivery | — Infrastructure access only | ✗ Never — by architecture | ✗ Not passed to sub-processors |
| Payment data | ✓ Own invoices via Stripe portal | ✗ No access to card data | ✗ No access to card data | — Sponsor sees billing receipts and seat status only | ✗ Stripe handles independently |
The following technical controls are enforced at the platform layer for all accounts and requests.
Corporate sponsors — organizations that fund Sentinel CPO subscriptions for executives — have access to billing receipts, seat count, and enrollment status only. By architectural design, sponsors cannot access briefing content, biometric data, check-in data, or any intelligence output of any kind, for any sponsored executive. This is not a policy restriction — it is a structural guarantee enforced at the data model level. The sponsored executive's CPO# identifier is never shared with the sponsoring organization.
This policy defines Sentinel CPO's response to security incidents that may affect Client data. It applies to confirmed or reasonably suspected unauthorized access, disclosure, alteration, or destruction of Client data.
Sentinel CPO monitors platform infrastructure and sub-processor security advisories on an ongoing basis. Security incidents are classified as follows:
Upon detection of a Severity 1 or 2 incident, Sentinel CPO will take immediate containment action, which may include: revoking compromised credentials, isolating affected infrastructure, temporarily suspending affected service endpoints, and engaging relevant sub-processors.
Following containment, Sentinel CPO will: identify and close the root cause of the incident, assess and document the full scope of data affected, implement controls to prevent recurrence, and conduct a post-incident review. A written incident summary will be made available to affected Clients on request following remediation.
In the event a sub-processor (Anthropic, ElevenLabs, Supabase, Vercel, Stripe, Resend) reports a security incident, Sentinel CPO will: assess the Client data impact, apply the notification thresholds above if Client data is affected, and publish an advisory on this page if the incident is of broad relevance. Sub-processor security advisories are actively monitored.
To report a suspected security vulnerability or incident: submit a security inquiry. Sentinel CPO commits to acknowledging security reports within 2 business days.
| SOC 2 Type II (Sentinel CPO direct) | Planned — not yet completed. Infrastructure sub-processors Supabase and Vercel hold SOC 2 Type II. |
|---|---|
| PCI DSS | Payment card data handled exclusively by Stripe (PCI DSS Level 1). Sentinel CPO does not store, process, or transmit card data. |
| ISO 27001 | Not certified — on roadmap as client base scales to enterprise. |
| GDPR | Compliant. DPA available. Pseudonymous architecture. Erasure honored. |
| CCPA / CPRA | Compliant. Privacy rights honored via contact form. |
| HIPAA | Not applicable — Sentinel CPO is not a covered entity and does not process PHI. |
| Biometric data laws (BIPA, CUBI, et al.) | Compliant. Biometric Privacy Policy published. Consent obtained at enrollment. Deletion honored. |