Security & control

Built for the CISO who has to sign the contract.

Cabinet is the only platform of its kind your team can read line by line, run inside your own network, and power with the AI keys you already pay for. Five layers (code, data, AI, hosting, and identity), all under your control.

Request architecture review Request the security pack

Five layers, all yours

Code

Open source · MIT · on GitHub

Data

Your folder · your git · your servers

Your keys · Anthropic, OpenAI, AWS, or Azure

Hosting

Your laptops, your VPC, offline, or Cabinet Cloud

Identity

SSO · SAML · SCIM · Active Directory

The four guarantees

Control isn't a checkbox. It's how Cabinet is built.

Code

Open source

MIT-licensed. Every line of code that touches your strategy data is in a public GitHub repo. Your security team reads it before procurement signs.

Data

Your folder, your files

Cabinet keeps your strategy as plain files on your disk. Backup is `tar`. Export is `cp`. No closed database, no migration queue, no escape hatch needed.

Host

Run it where you want

On your laptops, in your VPC, on an offline machine in a secured facility, or on Cabinet Cloud. AI calls go to your provider with your keys. We never see them.

EU AI Act ready

Every AI-written document links to its sources. Every AI teammate has a narrow permission scope. Every action is logged. GDPR-aligned by design.

Reference architecture

How data flows. And where it doesn't.

Cabinet runs entirely inside your perimeter. The orchestrator, the files, and the inference calls all happen on your infrastructure and your keys. Nothing (not telemetry, not prompts, not artefacts) leaves the boundary you choose.

Your team

Cabinet UI · CLI · Slack · Teams

CEO

Chief of Staff

Manager m

Inside your perimeter

Cabinet host

self-hosted · VPC · air-gap · cloud

Orchestrator

MIT · open source · no telemetry by default

Files

Markdown · git-backed · on your disk

Jobs

Cron · agents · audit log

MCP server

Scoped · auditable

Inference providers

Your BYOK · choose any

Anthropic

OpenAI

AWS Bedrock

Azure OpenAI

Inference stays local

LLM API calls go from your Cabinet host to your inference provider with your keys. Cabinet's servers are not in the path.

No external telemetry

Optional anonymous usage analytics ship to nowhere by default. You opt in per-event, per-room.

Audit log is yours

Every prompt, every write, every agent action is appended to an audit file in the room. Stream it to your SIEM.

Controls catalogue

What you get out of the box, before any add-on.

Identity & access

Single sign-on (SSO)SAML 2.0 · OIDC

Just-in-time provisioningSCIM 2.0

Role-based access controlPer-room · per-folder

Per-agent permission scopesRead-only by default

Data protection

Encryption in transitTLS 1.3

Encryption at restAES-256 · BYOK option

Secrets managementVault · AWS KMS · GCP KMS

Data residencyPick your region, or your laptop

Auditability

Audit logAppend-only · per-room file

SIEM streamingSplunk · Datadog · Elastic

Prompt + write logEvery agent action recorded

Immutable historyGit commits · WORM bucket

Operational

Air-gap deploymentSupported · no outbound required

Backup & disaster recovery`tar` your folder · `restic`

Multi-regionRun a Cabinet per region

SLA on Cloud tier99.9% available

Compliance roadmap

Honest about where we are. And where we're going.

We don't claim certifications we haven't earned. The roadmap below is the public source of truth, updated quarterly with named auditors.

SOC 2 · Type II

In progress

In progress · Q4 2026

ISO 27001

Planned

Planned · Q1 2027

GDPR / DSGVO

Ready

By design

EU AI Act

Ready

Architecture ready

HIPAA path

On request

On request · BAA available

FedRAMP

Planned

Planned · Q3 2027

CCPA / CPRA

Ready

Covered by data sovereignty

PCI DSS

N/A

N/A: no card data processed

Security FAQ

Questions your CISO will ask.

Yes. Cabinet is a Node application with a markdown filesystem. Deploy it on a VM in your VPC, in an air-gapped facility, or on each employee's laptop. No outbound connection is required for the application to function, only your chosen inference provider (and you can self-host that too via vLLM or Ollama).

Security review · NDA-friendly

Send us the security questionnaire. We'll send it back filled in.

Whether you're at a regulated bank, a defence contractor, or a healthcare payer, we'll meet your security team where they are, with the documentation they're used to seeing.

Request architecture review Email the security pack