Stacklok Security Center

Self-hosted AI governance, built to keep customers in control

Stacklok is deployed inside your infrastructure, in your Kubernetes environment. That means your AI traffic, prompts, tool calls, policies, logs, and governance data remain under your control.

Stacklok does not host, process, transmit, or store customer data by design. We do not have access to your environment, network, workloads, or data.

All data location, residency, encryption, retention, deletion, and access controls are governed by your own infrastructure and security policies. Nothing on Stacklok’s end affects your current security posture or governance controls. 

Our responsibility is to provide software that is safe to deploy, built with strong software supply chain practices, and designed for secure operation in customer-controlled environments.

Shared responsibility

Security in a self-hosted model is a shared responsibility.

Customers control the environment.
This includes data hosting, encryption, access control, retention, uptime, incident response, and compliance of the running system.

Stacklok controls the software we deliver.
This includes secure development practices, software supply chain integrity, vulnerability response, signed artifacts, SBOM availability, and build provenance.

Stacklok security posture

Stacklok focuses on the security of the software we provide, including:

Support for customer-controlled deployment and operations

  • Signed software artifacts
  • SBOM availability
  • Provenance and build integrity
  • Vulnerability and CVE response
  • Secure development practices
  • Limited vendor access by design

Subprocessors

Stacklok uses a variety of tools and technology internally that may subprocess data. These tools consist of cloud technologies like AWS and Slack. Below are all applications in which information may be subprocessed.

  • Google Workspace Customer Email Communications and Document Storage
  • Slack Customer Communications 
  • GitHub Code Repository
  • Grafana Log/trace/metrics storage
  • AWS Applications, Databases, File Storage
  • DevRev Customer Support Communications
  • Hubspot Customer Engagement 
  • Read AI Customer Conversations

Why this matters

With Stacklok, enterprises can govern AI and MCP usage without giving up control of sensitive data or infrastructure.

You get the benefits of AI governance while keeping your security model aligned to your own environment, policies, and compliance requirements.

Need more detail?

For security reviews, architecture discussions, or vendor questionnaires, contact the Stacklok team at enterprise@stacklok.com. Our technical team can help clarify which controls are owned by Stacklok and which are governed by your deployment environment.