Data Sovereignty

Data sovereignty is not a feature of VouchCore — it is the foundational constraint around which the entire platform is designed. Every architectural decision is evaluated against one question: could this create a path for one tenant's data to reach another, or to leave GCP?

What "Sovereignty" Means in Practice

For a Tribal nation enrolling in VouchCore, sovereignty means that intelligence about their jurisdiction's threat surface is categorically inaccessible to any other organization — including VouchCore's own operations team without explicit, documented access requests.

For a credit union, it means that your email posture findings, your domain scan history, and your remediation status are never visible to any other financial institution on the platform.

For any enrolled organization, it means that the data you generate through VouchCore usage belongs to your organization, lives in your enclave, and cannot be accessed cross-tenant by design — not just by policy.

Technical Enforcement

• Tenant namespacing — All data is keyed by tenant ID at the application layer
• IAM rule enforcement — Access controls at the data layer, not just the application layer
• No cross-tenant queries — Query patterns that could return multi-tenant data are architecturally prohibited
• GCP boundaries — All processing in us-central1; no data egress without Pilot authorization
• VPC Service Controls — Hard perimeter preventing API calls outside the VPC boundary

Third-Party Enrichment

When VouchCore queries third-party threat intelligence APIs (AbuseIPDB, ThreatFox), the queries use only the specific IP addresses or domain names being enriched — not organizational metadata. These queries are evaluated for data sovereignty impact before any new enrichment source is integrated.