Menu
Trust

Security posture for project-owned intelligence.

Snipara holds the project layer that agents need before editing: sources, memory, decisions, impact, workflow state, and verification evidence. This page states the current trust boundary plainly.

Current posture

Trust is scoped, source-backed, and intentionally limited.

The public claim is not that Snipara has every enterprise badge. The claim is that the platform keeps project intelligence inspectable before agents rely on it.

Snipara does not run your model

Your LLM or coding client still reasons and executes. Snipara prepares source-backed Project Intelligence before that work starts.

Project context stays scoped

Documents, memory, tool output, handoffs, and code graph signals are tied to project, team, user, service-account, or integrator boundaries.

Trust means evidence, not theater

The product exposes source maps, caveats, freshness signals, reviewed memory, and verification prompts so agents can check claims before acting.

Data boundary

Snipara prepares context. Your model still does the reasoning.

What enters Snipara

Selected project documents, repository context, durable decisions, workflow state, code graph metadata, and retrieval logs that the customer chooses to connect or upload.

What comes back

Compact answer packs, source references, caveats, continuity briefs, impact hints, verification plans, and memory recall results.

What stays outside

The customer's chosen LLM provider, local development environment, private runtime secrets, and any source that has not been connected to Snipara.

Self-hosted boundary

Teams with stricter data-plane needs can use a self-hosted deployment path so context processing runs inside customer-controlled infrastructure.

Controls

The important controls are visible to the agent workflow.

Snipara's trust layer is built around scoping, review status, source authority, and explicit verification, because agent work fails when old assumptions look current.

Credentials

Setup flows use environment-backed keys. API key records use hashes and prefixes for lookup, with raw keys shown only at creation time.

Access checks

Hosted tools resolve project, team, user, service-account, OAuth, and integrator access before returning context or memory.

Memory governance

Durable memory is reviewed, scoped, authority-tagged, revocable, and meant for reusable decisions or learnings, not raw logs or secrets.

Execution proof

Snipara Sandbox is the repeatable path for validation work that benefits from isolation instead of ad hoc local shell state.

Source authority

Answer packs separate source facts, caveats, freshness warnings, and verification checklists so stale or unsupported claims stay visible.

Vaultbrix

The primary data layer is Swiss PostgreSQL, not a vague cloud bucket.

The production architecture documents Snipara on Infomaniak for the app layer and Vaultbrix PostgreSQL for primary storage. That gives the trust page a concrete infrastructure story without overstating a certification.

Database posture

Documented production facts

  • Primary production storage uses Vaultbrix PostgreSQL in Switzerland.
  • Runtime PostgreSQL connections are documented with sslmode=require.
  • Vaultbrix managed PgBouncer sits between the app and PostgreSQL for connection pooling.
  • The architecture docs record Vaultbrix point-in-time recovery as the built-in backup layer.
SOC 2 use cases

Useful for compliance work, honest about certification.

Snipara and Helvabase can help teams prepare source-backed compliance evidence. That is different from claiming Snipara itself has completed a SOC 2 audit.

Security questionnaire response drafting with cited project and infrastructure facts.

SOC 2 evidence preparation, such as collecting policies, controls, access notes, and missing-evidence gaps.

Audit evidence packs for clients that need source-backed answers instead of stale copy-paste claims.

Helvabase workflows for business-facing compliance, RFP, due-diligence, and security review dossiers.

Limits

What we do not claim on this page.

No fake badges
  • SOC 2, ISO 27001, HIPAA, or FedRAMP certification for Snipara today.
  • That every customer document, embedding, log, cache entry, or processor is covered by one universal residency statement.
  • That hosted Snipara replaces customer security review, vendor assessment, DPA negotiation, or contractual controls.
  • That a self-hosted deployment automatically satisfies a regulated environment without customer-side controls.
Security contact

Need a security review, questionnaire, or vendor answer?

Send the request to the right channel. We will answer from current implementation facts and call out gaps instead of padding the response.