Resources
Reading for the people doing the diligence.
Whitepapers. Reference architectures. Honest writing for security teams.
These are the documents we point to when a security team asks for the technical detail behind the marketing page. Most of them sit under non-disclosure (NDA) for the controls inventory; the public versions are linked here.
What's in here
Three launch resources, with more added as the work demands them. Each is written for the same reader — someone whose job is to understand how the system works before they sign — and tested against the questions security teams actually ask. If something you need is not here, the engineering team will write it.
Launch resources
Start here
Security & Architecture Whitepaper
Threat model, controls inventory, key management, incident response, and the deployment-topology details that don't fit on the architecture page. The public version covers the architectural posture; the gated NDA version goes further on tuning, thresholds, and per-signal weights.
Why Your CISO Won't Let You Ship to OpenAI
A plain-English walk through what the regulated regimes — Sarbanes-Oxley, Health Insurance Portability and Accountability Act, Federal Risk and Authorization Management Program, Payment Card Industry Data Security Standard, the European Union's General Data Protection Regulation — actually require, and why third-party model APIs collide with them.
Sovereign-RAG Reference Architecture
A complete architectural diagram with the components, the data flows, the trust boundaries, the audit emission points, and the integration touchpoints with Identity, Key Management, and Security Information and Event Management (SIEM) systems. Suitable for an architecture review board.
What's coming
Quarterly we publish:
- A field report from the most interesting deployment of the quarter, with the customer's permission and identifying details removed.
- A controls-inventory delta — what changed in the architecture, what arrived in the audit format, what new attestation we earned.
- An honest postmortem of any incident that affected a customer deployment. The bar is the bar Citorum holds itself to. There is no version of this where we do not write the postmortem.
If you'd like to be notified, reach out → — we are not running a marketing list, but we keep a small distribution list for security teams who've asked.
Need a document we haven't written yet?
If your security team has a specific question — a particular control framework, a particular jurisdiction, a particular threat model — and the answer is not in one of the resources above, ask us. We will either write it or tell you honestly that we cannot.