Security posture · executive summary

Data stays in your stack.
Audit log lives in yours.

YiG is a drafting layer that runs against your registered data sources, writes approved output back to your storage, and emits a structured audit record into the logging stream you forward to your SIEM. There is no YiG-hosted database of customer ledgers, journals, or working papers. That is structural — not configurable.

This page is the printable summary. For the long-form review artifact, see /docs/security-and-data-handling and /docs/architecture-overview.

No vendor data plane. Customer data is read at run time, written back, never retained between runs.
Three deployment modes. Local · customer VPC · single-tenant managed.
BYOK inference. Customer holds the model contract directly. We are not in a position to train on your data.
Reviewer gate enforced architecturally. No output ships without a human approval recorded in the audit log.

Where the agent runs

Three deployment modes

Multi-tenant SaaS is deliberately not on this list. If we ship it in the future, it will be a separate architecture with separately scoped guarantees — not a quiet expansion of these three.

Local

Customer cloud (VPC)

Single-tenant managed

Agent runs in

Operator's machine

Customer's cloud account

Dedicated isolated environment

Data path

Operator's local files

Customer's systems

Customer's systems via egress only

Inference contract

Customer's API key

Audit log sink

Operator's filesystem / stdout

Customer's logging pipeline

Who operates the runtime

Operator

Customer IT

YiG SRE (no data-plane access)

Best fit

Eval, regulated solos

Team deployments, internal compliance

Customers who prefer not to operate the stack

Audit log shape · taken verbatim from the codebase

What the log actually contains

YiG Thinker emits structured audit records via Python logging.getLogger() with a typed extra payload. Three loggers cover the three classes of action a run can produce. You forward all three streams to your SIEM, Datadog, or Splunk as JSON. There is no YiG-side audit store.

microsoft_audit

All Microsoft / Dynamics 365 outbound calls (OBO, app-only).

event · user_oid · tenant_id
kind · scope · token_source
status (success / error) · elapsed_ms
request_id

slack_canvas_report

Slack Canvas card emissions + every reviewer button click.

event · timestamp (ISO 8601 UTC)
run_id · user_id · channel_id
action_id · tool_use_id
(for clicks) bridge_item_id

yigthinker.tool

Every tool call inside the agent loop — SQL queries, reconciliation runs, file writes.

event (tool.execute.start / .complete)
tool · run_id · tool_use_id
status · elapsed_ms
tool-specific output shape

Reviewer gate is enforced at this layer: no excel_write.complete against a customer-output path can be reached without a preceding draft.transition with to=approved from a human reviewer. A workflow that completes without approval is logged, kept as draft, and not shipped.

The model contract — BYOK

Customer holds the inference contract directly.

YiG does not own the relationship with the model provider. You contract with Anthropic, OpenAI, your self-hosted endpoint, or your government-cleared instance, and YiG calls that endpoint with your key. The model provider's data-handling terms apply — not ours.

Structurally, this means there is no YiG-side opportunity to train on your prompts, retain your outputs, or cache your intermediate state. Even if we wanted to, the data flows do not reach us.

Hard commitments, not toggles

No training on customer data. BYOK makes this structural.
No telemetry by default. Self-hosted YiG does not phone home for analytics, error reporting, or usage metering.
No background automation. A workflow does not execute without an instruction from an authenticated operator. The agent cannot self-trigger.
No undisclosed data sharing. Any handling of customer data outside the four-layer model requires a written, scoped, time-bound authorisation for that specific incident.
No "skip review" mode. The reviewer gate is enforced architecturally, not as an application-layer toggle.

If any of these change in a future version, the change will be announced before that version ships, in /docs/security-and-data-handling.

Who needs to read what

Three audiences

CFO / Head of Finance

The question you care about: can my team accept YiG's drafts without weakening control? Answer: the architecture forbids shipping anything without a recorded human approval, and the audit log is sufficient evidence for an external auditor without needing access to our runtime. Procurement should review /docs/security-and-data-handling alongside this page.

CISO / IT Security

Decision points: which deployment topology, BYOK key custody, audit-log sink, and pen-test status. YiG data flows do not cross a vendor data plane in any topology. BYOK means our incident surface excludes model inference. Pen-test summary publishes in /docs when commissioned — ask [email protected] for the current state.

Controller / Reviewer

What changes for you day to day: every YiG output arrives as a draft with attached evidence; you accept or reject line by line from Slack Canvas, the CLI, or the Excel ribbon; nothing reaches your close folder until you sign off. See /pilot for the 30-day pilot scope.

Need an item not yet on these pages? Email [email protected]. We respond under NDA or add to the publication queue.