Skip to content

Trust and vendor review

Everything your security team needs to clear us.

MakerChecker runs inside your own walls, so your data never reaches us, and every line is open for your reviewers to read. This page answers the questions a procurement and security review asks, plainly, without a certificate you have to take on faith.

Data residency

Your data never leaves your walls

Self-hosted by design. There is no MakerChecker cloud in the path. Where you run it is where your data stays, which settles EU data residency under the GDPR and most cross-border questions before they start.

Readable

Open source, so you verify instead of trust

The engine, the audit chain, and the offline verifier are open. Your security team reads the code, runs it in your own environment, and checks the controls directly.

Hardened

Built to pass a real review

Runs as a non-root container on a pinned base, with a hardened Postgres configuration and CI that gates on image CVEs, ships an SBOM, and scans for secrets on every change.

Licensed

AGPL core, with a commercial path

AGPL-3.0 for the core and Apache-2.0 for the SDK, with a commercial license for organizations whose policies preclude AGPL. No surprise contamination of your own application.

The questions a review asks

Where does our data go?
Nowhere. MakerChecker runs inside your own environment. Your operational data, your patient data, and your audit records stay on your infrastructure. In a self-hosted deployment we are not a processor of your data, because we never receive it.
Do we need a BAA or a DPA?
For a self-hosted deployment, no BAA is required, because no protected health information reaches us. If you ask us to build and run an agent for you as part of a pilot, and that agent would touch regulated data, a BAA and a DPA are available before any such data flows. The default we recommend is self-hosted with synthetic or minimized data, so the question does not arise.
How does this work under the GDPR?
Because MakerChecker is self-hosted, personal data stays inside your infrastructure in the region you run it, so EU data residency is under your control and there is no cross-border transfer to us to assess. In a self-hosted deployment you are the controller and we are not a processor of that data. For an operated pilot where an agent would touch personal data, we sign a GDPR-compliant DPA before any such data flows.
What does the AGPL license mean for our code?
The core is AGPL-3.0 and the client SDK is Apache-2.0. Running MakerChecker as a self-hosted service to govern your own agents does not place your application under the AGPL. The AGPL obligation is about distributing a modified version of MakerChecker itself. If your organization's policy precludes AGPL regardless, a commercial license is available.
Is it really open source, or open-core bait?
The enforcement engine, the audit chain, and the verifier are all open source and self-hostable. Your security team can read every line before you run it. We do not gate the security-relevant parts behind a paid tier.
Do you have SOC 2 or ISO 27001?
Not today. We are a young company and we will not claim a certification we do not hold. Because the product is open source and self-hosted, your team can verify the controls directly rather than take a certificate on faith, which is a stronger position for the things that matter here. We are happy to walk your reviewers through the architecture.
How do we report a security issue?
Email hello@makerchecker.ai, or see the SECURITY.md in the repository for coordinated-disclosure terms. The security.txt is served at /.well-known/security.txt.

What your reviewers can check today.

  • The security model, written for a technical reviewer: the threat model, the hardening, and what the audit chain does and does not protect against.
  • The offline verifier. Recompute a signed audit in your own browser and watch it break when a row is changed.
  • The validation evidence for a GxP team: IQ, OQ, PQ, and a requirements-traceability matrix your QA function recognizes.
  • The source on GitHub, including SECURITY.md and the CI that gates every change.

Need a signed sample evidence file, a walkthrough for your reviewers, or the commercial-license terms? Email hello@makerchecker.ai.

See it for yourself

Bring us into your review. We will make it easy.

One command starts the demo: an agent stopped from signing off its own work, and the signed evidence file an inspector can check for themselves.

Designed against the rules your auditors already enforce.