How Sentinel protects your sensitive information

Yes. Every uploaded manual is symmetrically encrypted before it is stored (Fernet — AES-128-CBC with HMAC-SHA256). The key is held separately from the database. Even if the database were exfiltrated, the manual content would remain ciphertext.

None. Before any manual content is transmitted to Anthropic or OpenAI, Sentinel automatically redacts: email addresses, phone numbers in all common formats (Australian mobile / landline, +61 international, US-style, 1300/1800), and names of individuals appearing after role or title cues (e.g. "Approved by: Sarah Johnson", "Crisis Director:", "Dr Andrew Chen"). These are replaced with opaque tokens ([EMAIL_001],[NAME_001]) for the duration of the LLM call. Sentinel restores the real values on our servers after the model returns its response — your team's contact details never reach Anthropic or OpenAI in identifiable form. The full flow is in the downloadable Security Brief below.

No. Sentinel calls Anthropic (Claude Sonnet 4.5 + Haiku 4.5) and OpenAI (GPT-5.1 as cross-provider fallback) via their commercial APIs, where contractual T&Cs exclude API inputs from model training. Anthropic's commercial API has zero retention by default; OpenAI's commercial API retains data for 30 days for abuse monitoring only, then deletes. The consumer products (claude.ai, ChatGPT) are never used by Sentinel.

No. Every read, edit, download and delete endpoint is filtered by your authenticated user ID. If another user attempted to fetch your exercise by URL, they would receive a 404 — not a redacted view, not a preview, not a "permission denied" that leaks existence.

The Sentinel Library is curated — it shows only worked-example scenarios authored by Sentinel for demonstration purposes. User-generated exercises are private to the account that created them. If you need to share an exercise with a colleague, use Export → PDF or DOCX and send the file directly.

Yes. On the Security & Privacy page there is a hard-delete that wipes every exercise, session, audit entry and your user record. It is an actual purge, not a soft delete with a "recover for 30 days" flag.

Yes. On the upload form, tick "Delete manual content after generation completes". Once your scenario pack is built, the manual content is wiped from storage. The trade-off: you cannot re-generate the pack later without re-uploading.

Sign-in is via Google Workspace or Microsoft 365 OAuth — Sentinel never stores a password. Sessions are carried in HTTP-only, Secure, SameSite=None cookies — not readable by JavaScript, not vulnerable to a typical XSS exfiltration. Sessions expire after 7 days. Logout invalidates the session token server-side immediately.

Yes — for your own assurance. Every meaningful action on your exercises (create, retry, PDF export, share, unshare) is appended to a per-user audit log that only you can view. The log shows the timestamp, action, exercise, and any relevant details. See it at Settings → Activity Log.

All traffic between your browser and Sentinel is TLS 1.3. No plain HTTP is accepted.

Yes — explicitly. Sentinel applies a content-type-aware Usability Mapping discipline to every LLM-generated artefact, aligned to AS ISO 24495-1:2024 (Australian Plain Language Standard). Strategic content read at the desk during preparation — manual sections, Standards Review reports, maturity narratives, executive summaries — is pitched at senior-professional register (Flesch-Kincaid Grade 11-13), using industry and regulatory terminology precisely. Operational content read mid-exercise or mid-incident — scenario injects, TARP rows, Duty Cards, holding statements, action register entries — is pitched at cognitive-load-aware Grade 9-10. Short sentences, active voice, imperative verbs, concrete nouns, bullet structure where the content has more than two items. This is the discipline applied to aviation Quick Reference Handbooks, NASA flight rules and military Rules of Engagement — your readers are degree-qualified professionals, but the content is shaped for how it is consumed, not the reader's IQ.

Scenario generation calls Anthropic Claude or OpenAI models via the Emergent universal LLM gateway. The manual excerpt sent to the model is the minimum required for relevant scenario drafting (≈10 pages of text or the RACI/Authorities sections, whichever is smaller). Providers do not use API traffic for training under Anthropic and OpenAI enterprise terms. Content sent to the model is not retained by Sentinel after the request completes beyond the scenario pack it produces.

Yes. The session-exchange endpoint rate-limits by IP: 20 attempts per minute. Further automated attempts are rejected with HTTP 429.

Application data (exercises, manuals, role cards, action registers) is stored in MongoDB Atlas in the US-East region. Daily snapshots are taken and retained for 7 days. Customers with Australian-data-residency or AU-Government IRAP requirements should contact us — we operate AU-region deployment for organisations whose procurement requires it.

Live data is retained for as long as your subscription is active. When a subscription lapses, your account moves to a 12-month read-only Vault — you can sign in, view, and download anything you previously generated, but new generations require resubscribing. We email you a 7-day warning before the Vault expires, giving you time to either download a final copy or resubscribe to preserve access. After 12 months, the account and all associated exercises, manuals, audit logs and Action Register entries are permanently deleted. You can request immediate deletion at any time — email support@sentinelcmt.comand we'll action it within 1 business day.

Sentinel is built by an Australian-based HSE professional with 30 years of operational crisis response experience across mining, energy, major hazard facilities, heavy industry and infrastructure — at both asset-owner and major contractor levels. The product is currently a single-founder build — no offshore sub-contractors, no third-party developers with access to customer data. Trading entity, ABN and full contact details are available on request for procurement; ask via support@sentinelcmt.com.