Security & compliance posture
Sipsa Inference's SHA-256 verifiable, reproducible reconstruction is the regulatory-equivalence floor for any AI workload that requires provable model behavior. This page documents what's already enforced today, what's on the formal certification roadmap, and what's planned. Updated 2026-06-06.
The substrate-level property that matters most
Most public quantization techniques (AWQ, GPTQ, EXL3, QTIP, SeedLM) regenerate quantizer state at customer load time, which means the weights the customer's inference call actually executes against are not byte-identical to the weights the implementer evaluated during qualification. That's typically a 2–10% perplexity drift between training-time eval and customer inference.
The Sipsa v3 binary format persists every byte of quantizer state inside the pack. Result: the customer-loaded weights are byte-identical to the validated quantized artifact the implementer evaluated — provable with a single SHA-256 manifest check on the customer's own hardware. The PPL number on /inference is the PPL the customer gets in production. No drift, no quality cliff between dev and deploy.
For regulated workloads, that reproducibility property is the regulatory-equivalence floor. It's what makes the deployed binary auditable as the same model that passed qualification.
Customer-side verification (live today, no vendor cooperation needed)
Every Sipsa-compressed artifact ships with a per-tensor SHA-256 manifest. Any customer can verify the artifact they downloaded matches the artifact we evaluated, with zero trust in the vendor:
pip install ultracompress hf download SipsaLabs/qwen3-8b-uc-v3-bpw5 --local-dir ./qwen3-8b uc verify ./qwen3-8b # → SHA-256 manifest verified across N Linear layers
The verifier is deterministic, runs on CPU (no GPU required), and outputs a pass/fail signal alongside per-layer hash diffs if any. This is the cryptographic primitive that AWQ / GPTQ / EXL3 cannot offer.
Compliance posture by framework
| Framework | Status | What Sipsa delivers today | What's on the roadmap |
|---|---|---|---|
| SOC 2 Type 1 | Q3 2026 target | Vanta-equivalent control posture being built; on-prem deploy means the customer hosts (their SOC 2 boundary covers it) | Type 1 audit Q3 2026; Type 2 readiness Q1 2027 once revenue + headcount justify formal audit cost |
| SR-11-7 (model risk management) | Architecture supports today | SHA-256 manifest + customer-side uc verify = the "demonstrable, auditable, reproducible" requirement satisfied at the substrate level. Provable reproducible reconstruction is qualitatively different from "approximately equal." |
Detailed SR-11-7 control mapping doc available on request to enterprise customers |
| FDA Software-as-Medical-Device (SaMD) computational model validation | Architecture supports today — no Sipsa certification claimed | Reproducible reconstruction is the FDA Computational Model Validation floor. Every clinical-AI inference call provably runs the same model the implementer qualified. | FDA reproducibility maps directly onto the Computational Model Validation requirement; detailed control mapping available on request to enterprise customers. |
| HIPAA (PHI) | On-prem deploy LIVE; managed BAA Q3 2026 | On-prem MSA tier means PHI never leaves the customer's environment. Substrate runs locally; no inference data crosses the Sipsa boundary. | BAA template + managed-tier HIPAA-eligible API endpoint Q3 2026 once enough HIPAA-bound customers sign up to justify the audit + ongoing compliance overhead. |
| DoD acquisition + DFARS 252.204-7012 | Architecture supports today · CMMC Level 1 self-attestation Q3 2026 | SHA-256 verifiable, reproducible reconstruction = DoD acquisition audit floor. Maps onto DFARS 252.204-7012 reproducibility expectations; control mapping available on request. | CMMC Level 1 self-attestation Q3 2026. Higher CMMC levels with first signed defense contract. |
| FedRAMP (Moderate / High) | Planned 2027 | On-prem MSA tier supports air-gapped / IL4 / IL5 / IL6 deployment patterns. Customer hosts inside their FedRAMP-authorized boundary. | Managed-tier FedRAMP Moderate authorization sponsored by anchor federal customer (post-Series A). |
| EU AI Act (high-risk system requirements) | Architecture supports today | Reproducible reconstruction satisfies EU AI Act Article 13 (transparency) + Article 15 (accuracy / robustness / cybersecurity) requirements at the substrate level. | Detailed EU AI Act control mapping doc available on request to EU customers. |
| ITAR / EAR | Self-assessed non-controlled | The Sipsa substrate is general-purpose ML compression and not subject to ITAR or EAR controls in its current form. | Customers using the substrate for ITAR-controlled workloads handle their own export-control compliance and deployment-environment certifications. |
Data handling
The substrate (pip install ultracompress) runs entirely on the customer's machine. We do not see customer prompts, customer outputs, or customer training data. There is no Sipsa-side telemetry, logging, or data exfiltration on the substrate path.
The managed API (api.sipsalabs.com/v1) sees inference requests in transit; we log timestamps, model ID, request ID, and token counts for billing + capacity planning. We do not log request bodies or response bodies. Logs are deleted at 30 days. For customers requiring zero-log handling (HIPAA / classified workloads), the on-prem MSA tier eliminates the managed API entirely — customer hosts the substrate inside their boundary, no inference traffic crosses the Sipsa network.
Vulnerability disclosure
If you find a security issue in ultracompress (PyPI), api.sipsalabs.com, or any Sipsa Labs surface, please email founder@sipsalabs.com with the subject line "Security disclosure". We respond to security reports within 24 hours and treat severe findings as P0. Public disclosure timeline coordinated with reporter; standard 90-day window unless the reporter requests an expedited or extended window.
Subprocessors
| Vendor | Purpose | Data scope |
|---|---|---|
| Stripe | Payments / checkout | Billing metadata only; no card data, no customer inference data |
| Cloudflare | DNS + tunnel + WAF for api.sipsalabs.com | Inference request metadata in transit |
| Vercel | Marketing site (sipsalabs.com) | Public marketing-site analytics; no customer data |
| Resend | Outbound transactional email (founder@sipsalabs.com) | Customer email metadata only |
| HuggingFace Hub | Public artifact hosting (huggingface.co/SipsaLabs) | Public model artifacts only; no customer data |
| GitHub | Public substrate repository (github.com/sipsalabs/ultracompress) | Public substrate code only; no customer data |
Customers requiring a more detailed subprocessor list (e.g., for SR-11-7 vendor risk review) can request the full DPA + subprocessor doc via email. Updated quarterly.
IP posture
The compression method and pack format are patent-pending. Customers using the substrate under BUSL-1.1 + Additional Use Grant (sub-$1M ARR + research + individuals) have an explicit royalty-free patent license for the BUSL term.
Need detailed compliance documentation?
Enterprise customers can request the SR-11-7 control mapping, FDA Computational Model Validation packet, EU AI Act mapping, vendor security questionnaire response (CSQR template), or DPA + subprocessor list directly:
Email founder@sipsalabs.comRead more
- Public benchmark dashboard (23 verified records)
- Pricing tiers (incl. On-Prem MSA)
- Get free $5 API credits (no card) — self-serve at api.sipsalabs.com/v1
- Subscribe Pro $20/mo, Max from $100/mo, or Team $25/seat/mo
- Healthcare AI vertical fit
- Defense / aerospace vertical fit
- Quant / trading vertical fit
- Legal AI vertical fit