Sovereign data vault · sealed · single-organization · no inbound surface
SentryVault is a sealed, single-organization vault for an organization's most sensitive data — semantic, structured, and unstructured — and its governed processing. It unifies what is scattered across every system, connects what relates, and lets authorized people and systems act on it through governed contracts — while remaining architecturally incapable of exfiltration. Freedom of Information is where it proves itself. It does not stop there.
The same sealed appliance becomes a different vault for each vertical — defined by a signed configuration, not a rebuild. Today we lead with three.
Catalog every system bitemporally, infer offline sources, and turn a Freedom-of-Information request into a complete, pre-redacted, fully-audited package — with statutory exemptions cited and a human officer always deciding disclosure.
Records & access · privacy commissioners · CIO/CISO · ministry FOI units
A sovereign, all-knowing mission graph: deduplicated people and organizations, program and grant lineage, impact reporting — enterprise-grade governance and security for a mission-driven team, on managed Canadian infrastructure.
Executive · data & impact · privacy · funders & reporting
A sealed PHI vault: locate and govern health records across clinical, research, and administrative systems; manage consent and disclosure; answer access and audit requests — with reasoning on offline compute so PHI never leaves the box.
Privacy officer · CMIO/CIO · research governance · custodians
Every SentryVault is one sealed, single-organization appliance. The data plane never accepts an inbound connection. Everything reaches it because the vault subscribes and pulls — and the only way data moves out is a small, signed, audited set of contracts.
A signed configuration decides what this vault is — which template, taxonomies, sources, roles, and governance. Change the configuration, change the vertical. Tampered configuration is refused.
Work reaches the vault because it subscribes and pulls. There is no inbound job or admin surface to attack — administration itself rides an outbound, named, time-bound channel.
Applications never touch the data, the engine, or any query API. They invoke named, scoped, governed contracts; a pool of executors inside the vault runs them and returns a recipient-bound result. The contract catalog is the entire outward surface.
SentryVault is engineered to military-grade discipline for government and regulated industry. It assumes the data it holds is the most sensitive an organization has, and is designed — architecturally, not just by policy — so that information cannot leave except as a governed, audited contract.
The clearest proof of the substrate: SentryVault continuously records data from every system, catalogs it bitemporally, draws explicit and inferred connections, and turns an access request into a complete, pre-redacted package — with the people who must act already alerted.
Inbound-only connectors catalog records from every system — email, document stores, line-of-business apps, case files. The source of record stays in the source; the vault holds the map, the connections, and a governed, gated content index.
Every record and connection is stamped with when it was true and when the vault knew it. Where a source can't be read — a filing cabinet, a personal drive, a departed mailbox — the vault infers its existence and flags it for a human check.
An incoming request is parsed into scope and routed across the graph, returning a map of what data exists where — what it can read directly, what needs an offline check, and what is known to exist but isn't retrievable.
Information-sharing alerts go to staff who may hold responsive records, and offline-check tasks to custodians — each tied to the statutory clock. Their responses flow straight back into the package.
For every field, the vault proposes redactions with the specific statutory exemption cited and a rationale — embedded for the officer. Nothing is auto-applied. The officer accepts, modifies, or rejects.
The approved package leaves through a single sealed, integrity-hashed, recipient-bound gate — fully auditable, with a bitemporal trail an oversight commissioner can reconstruct exactly.
SentryVault installs as a single-purpose, single-organization appliance on infrastructure you control, or on IAXOV-operated Canadian sovereign infrastructure. It is engineered so that data physically cannot be exfiltrated.
When another system or person needs data from a vault, they must prove authority from an authorized entity before anything runs. SentryVault verifies that authority at the boundary — the data never leaves except as a governed contract result.
The requester authenticates to an authorized identity provider; the vault verifies the token and its claims — scope, role, organization — against a named, time-bound grant before any contract runs.
Authority can be carried as a portable, signed credential — an oversight body's auditor, a designated custodian. The vault verifies the issuer's signature offline, with no runtime dependency on the issuer. Sovereign and air-gap-friendly.
A requester can prove a property — "I hold a valid auditor credential", "this subject consented" — without revealing the underlying identity or data. The vault verifies the proof, runs the scoped contract, returns a recipient-bound result.
SentryVault is a sealed, single-organization vault that unifies your most sensitive data — semantic, structured, and unstructured — connects what relates, and lets authorized people and systems act on it through governed, audited contracts, while being architecturally incapable of leaking data and engineered to pass FOIP/HIA, PIPEDA, SOC 2, ISO 27001, and ISO 42001 review. Freedom of Information is the flagship proof. The machine does the work; your people make the decisions.
SentryVault is delivered as a managed service on Legion by IAXOV. Briefings are conducted under NDA for government and regulated-industry records, privacy, and security leadership. Tell us your environment and we'll arrange the right conversation.