Architecture & data boundary

The architecture answers, in one place.

Where data lives, how tenants are isolated, what Kōan can access, and how evidence keeps its lineage. Every statement reflects the architecture today.

Last reviewed · July 2026

The governed path

Facts move. Authority does not.

Kinetic Fabric observes and checks. Kōan drafts against the governed context. Only a reviewed decision can change the record.

Enterprise sign-inOIDC · JIT · SCIM
EU processing boundaryParis · fr-par
  1. 01Tenant boundaryIsolatePer-tenant database · cross-tenant denial tests
  2. 02Kinetic FabricObserve and checkEvidence · hashes · deterministic checks
  3. 03KōanDraft and proposeParis inference · citations · provenance
  4. 04Human reviewDecideAccept · reject · return
  5. 05Governed recordApply the decisionDeterministic change · complete lineage

KōanNo direct write path to the governed record.

The boundaries

Where your data lives and runs.

Data boundary

Where tenant data is stored, processed and transmitted.

Hosting
Scaleway, Paris (fr-par) — a French cloud provider under EU jurisdiction.
Tenant isolation
Every tenant has its own database, not a shared table with a filter. Isolation is validated with explicit cross-tenant denial tests.
AI inference
European foundation models (currently Mistral) served from Paris on EU infrastructure. Prompts and tenant data do not leave Europe.
Email
Transactional email is sent through Scaleway TEM from EU infrastructure.

Access boundary

How identity and service credentials enter the architecture.

Identity
A dedicated EU-hosted identity layer. Enterprise sign-in federates to your existing provider: OIDC with Microsoft Entra ID, just-in-time provisioning, and SCIM user lifecycle — provision, update, deactivate.
Secrets
Credentials and API keys live in a managed secret store — never in code, configuration files, or the browser.

Website boundary

What this public website loads and records.

yojin.io
Static files with self-hosted fonts. If you consent, this site loads Pirsch Analytics from Germany for cookie-free traffic measurement; it does not load before consent.
KōanThe governed AI boundary

What Kōan can and cannot do.

These guarantees are runtime architecture, not policy documents. The full capability model is on the Kōan page.

Can

  • Read from your tenant and from the published reference graph.
  • Draft cited work as proposals for a person to assess.
  • Record what was asked, read, proposed and decided.

Cannot

  • Write straight to your compliance record.
  • Reach "succeeded" before a person completes the required review.
  • Present AI-derived work as a human decision.
Evidence integrity

Why the record can be trusted.

A fact keeps its identity from collection through assessment.

  1. 01Collect
    Raw payload + hash

    The source material is preserved with its hash at collection time.

  2. 02Identify
    Source + run

    Every fact records its source, account, run and collection time.

  3. 03Assess
    Four honest states

    Pass, fail, error or unknown. “We couldn’t check” is never converted into a result.

  4. 04Replay
    Rebuild the result

    Assessment results can be reconstructed from the recorded facts.

Sub-processors

Who else touches the data.

The register is short by design. Current as of July 2026; it changes only deliberately, and this page changes with it.

Provider
Scaleway SAS
Location
France (EU)
Services
Cloud hosting, managed databases, transactional email, and managed AI inference serving Mistral models.
Provider
Emvi Software GmbH (Pirsch Analytics)
Location
Germany (EU)
Services
Consent-gated, cookie-free website analytics.

There are no advertising or cross-site tracking providers on the product or this website.

How yojin.io handles website data
Security contact

Found something? Tell us.

Security reports reach the people who can act on them at hello@yojin.io. We read every report and route it directly to the people responsible.

Machine-readable contact: security.txt

Put your architecture questions to us directly.

Bring the parts of your security questionnaire that need deeper detail — we answer them against the real architecture.