---
lang: en
template: editorial
---

# **Trust & Security** for enterprise due diligence
> Security and due diligence

Jadey is designed for a customer-controlled enterprise operating frame. Runtime, identities, rights, secrets, data flows, model routing, logging, retention, observability, incident paths and stops are guided so that CIO, CISO, compliance and procurement can review the deployment before go-live and limit it in operation.

The operational control model for agents in the running case is covered under [Governance](/en/governance).

[Get Started](action:demo-booking)

## The operating frame stays customer-controlled {#operating-frame}
> Runtime

Jadey runs as a managed runtime within the customer's controlled cloud and security frame. The enterprise retains authority over target systems, identities, network boundaries, data classification, approvals and operating rules. Jadey maintains and scales the agent runtime inside this frame and guides cases only with the integrations, roles and policies approved for the respective deployment. The architecture remains compatible with Azure- and Entra-oriented operating models and can be assessed project-specifically for further cloud and provider paths.

## Identity, rights and secrets are bounded {#identity-rights-secrets}
> IAM and RBAC

Agentic execution starts with identity and authorization. Agents work with defined technical identities, minimal rights, approved service identities and separated execution contexts. Secrets belong in the customer-approved secret and key-management frame; they are not shifted into the agent flow as free configuration. Critical actions are technically bound to approval thresholds, review paths and intervention points. Roles, rights and execution contexts therefore become auditable across IAM/RBAC, secrets and runtime boundaries.

## Data flow and model use follow approvals {#data-model-flow}
> Data and models

ERP, CRM, DMS, ticketing, identity systems and domain systems remain authoritative for their data. Jadey guides the case across these systems and uses data only within the approved purpose, scope and access context. Model use is decided per use case, data class, cost profile and governance requirement. Model routing can consider several model families, but remains bound to approved integrations, contracts, keys, data classes and review rules. This creates controlled model selection inside the reviewed technical operating frame.

## Evidence is created along the case {#logging-audit-retention}
> Logging, audit and retention

For enterprise approvals, a technical log alone is not enough. Jadey is designed to make system actions, model use, approvals, stops, returns and escalations visible along the case as auditable technical and organizational evidence. Depending on the deployment, this includes audit-log excerpts, status and error events, export states, control mappings and closing artefacts for due diligence, internal audit and operations. Retention and deletion are defined in the customer scope: which data, logs, artefacts and intermediate states are retained, exported or deleted for how long. Audit readiness therefore comes from approved operating rules and verifiable evidence.

## Operations require observability and responsibility {#observability-incident-raci}
> SIEM, incident and RACI

Productive agent operations need to connect to existing operating structures. Jadey can guide events, status, errors, timeouts, policy conflicts and escalations so that they can be incorporated into observability, reporting or SIEM-adjacent processes. Which signals go where, which severity levels apply and who responds is defined in the operating model. Incident, change and review paths are run as RACI: the enterprise is responsible for objectives, roles, data classification, approvals and intervention points; Jadey runs the agent runtime and case logic within this approved frame. This separation makes shared responsibility operationally auditable.

## Stops and escalation limit autonomy {#stops-escalation-security}
> Stops and escalation

Jadey does not operate as unguided autonomy. For productive deployments, stops, timeouts, questions, kill-switch mechanisms, exception paths and human decision points are defined in advance. If evidence is missing, a policy conflict arises, an approval is absent or an action would fall outside the frame, the case is halted, returned or escalated to the appropriate role. Data-processing agreements, technical and organizational measures, subprocessors, data transfers and control mappings are clarified in the concrete customer scope. Operational use-case governance and AI Act classification are handled under [Governance](/en/governance).

## Due diligence becomes an operating frame {#due-diligence-frame}
> Next step

The Trust & Security review starts with a concrete case: scope, systems, data classes, IAM/RBAC, secrets, model routing, logging, retention, incident paths, RACI and exceptions are jointly bounded. This creates an approval-ready operating frame that is later evidenced in shadow operation and live operation.

[Go to How](/en/how)