The architecture answers, in one place.
Where data lives, how tenants are isolated, what Kōan can access, and how evidence keeps its lineage. Every statement reflects the architecture today.
Facts move. Authority does not.
Kinetic Fabric observes and checks. Kōan drafts against the governed context. Only a reviewed decision can change the record.
- 01Tenant boundaryIsolatePer-tenant database · cross-tenant denial tests
- 02Kinetic FabricObserve and checkEvidence · hashes · deterministic checks
- 03KōanDraft and proposeParis inference · citations · provenance
- 04Human reviewDecideAccept · reject · return
- 05Governed recordApply the decisionDeterministic change · complete lineage
KōanNo direct write path to the governed record.
Where your data lives and runs.
Data boundary
Where tenant data is stored, processed and transmitted.
- Hosting
- Scaleway, Paris (fr-par) — a French cloud provider under EU jurisdiction.
- Tenant isolation
- Every tenant has its own database, not a shared table with a filter. Isolation is validated with explicit cross-tenant denial tests.
- AI inference
- European foundation models (currently Mistral) served from Paris on EU infrastructure. Prompts and tenant data do not leave Europe.
- Transactional email is sent through Scaleway TEM from EU infrastructure.
Access boundary
How identity and service credentials enter the architecture.
- Identity
- A dedicated EU-hosted identity layer. Enterprise sign-in federates to your existing provider: OIDC with Microsoft Entra ID, just-in-time provisioning, and SCIM user lifecycle — provision, update, deactivate.
- Secrets
- Credentials and API keys live in a managed secret store — never in code, configuration files, or the browser.
Website boundary
What this public website loads and records.
- yojin.io
- Static files with self-hosted fonts. If you consent, this site loads Pirsch Analytics from Germany for cookie-free traffic measurement; it does not load before consent.
What Kōan can and cannot do.
These guarantees are runtime architecture, not policy documents. The full capability model is on the Kōan page.
Can
- Read from your tenant and from the published reference graph.
- Draft cited work as proposals for a person to assess.
- Record what was asked, read, proposed and decided.
Cannot
- Write straight to your compliance record.
- Reach "succeeded" before a person completes the required review.
- Present AI-derived work as a human decision.
Why the record can be trusted.
A fact keeps its identity from collection through assessment.
- 01CollectRaw payload + hash
The source material is preserved with its hash at collection time.
- 02IdentifySource + run
Every fact records its source, account, run and collection time.
- 03AssessFour honest states
Pass, fail, error or unknown. “We couldn’t check” is never converted into a result.
- 04ReplayRebuild the result
Assessment results can be reconstructed from the recorded facts.
Who else touches the data.
The register is short by design. Current as of July 2026; it changes only deliberately, and this page changes with it.
- Provider
- Scaleway SAS
- Location
- France (EU)
- Services
- Cloud hosting, managed databases, transactional email, and managed AI inference serving Mistral models.
- Provider
- Emvi Software GmbH (Pirsch Analytics)
- Location
- Germany (EU)
- Services
- Consent-gated, cookie-free website analytics.
There are no advertising or cross-site tracking providers on the product or this website.
How yojin.io handles website dataFound something? Tell us.
Security reports reach the people who can act on them at hello@yojin.io. We read every report and route it directly to the people responsible.
Put your architecture questions to us directly.
Bring the parts of your security questionnaire that need deeper detail — we answer them against the real architecture.