Legation · agentic delivery system · DoD-secure

Run software that couldn't pass an audit —
inside the most regulated VPC on earth.

Legation deploys your software — agents, MCP servers, even a whole app — inside your customer's own cloud, sealed and governed.

Deploy any app — agents, MCP, even a SaaS never built for on-prem — into anyone else's VPC. Sealed, governed, and cryptographically invisible to you and the routing hub. The customer holds the kill switch. The auditor gets the package on day one. And you keep the deal you were about to lose.

Deploy anything. Anywhere. Prove it's safe. Win the deal.
See how it works → It's built. See the proof.
The core idea

The compliance is in the envelope. The app is just cargo.

Every control a regulator cares about — access, encryption, audit, data residency, kill switch — is enforced by the envelope that wraps the app at the VPC boundary, not by the app itself. So the app can be mediocre, un-hardened, never designed for on-prem, and it still lands secure, governed, and provably compliant. What the auditor reviews is the envelope, which is fixed and disclosed. That's why a bad app deploys safely — and why the audit is the same every time.

Can't exfiltrate

The app never touches the network. Only redacted, structure-only projections cross the membrane.

Can't exceed the treaty

Every action passes a 30-check policy gate enforced inside the customer's own VPC.

Instantly killable

A dual kill switch the customer holds — and the operator cannot override.

Provably compliant

Ships with its own multi-framework audit package. Hand it over; the auditor never digs.

Proven, not promised

It runs today. Not a deck — a working system.

Every load-bearing claim is demonstrable end to end, live — on a real file, a real workload, and a real MCP server.

legation — live
# the embassy in the customer's VPC —
  admit → govern → execute in-VPC → project   only a redaction leaves; the raw data never moves
  dual Recall                              the customer's kill switch — the operator cannot override it
  embassy dials OUT to the hub             zero inbound ports in the customer VPC
  embassy authenticates to register        Ed25519 · SHA-384 · replay-proof — no rogue embassy joins
  a real MCP server runs in-VPC            the hub is blind both ways — it never holds a key
  self-audit package, one command          live attestation + every framework, handed to the assessor

✓ the IP never leaves, because the inference never sees it
One product, every regulated buyer

The same governance hardened for the DoD — dialed down for your HIPAA workload.

Start at the hardest bar: the same envelope built to clear DoD IL5 in a SCIF. Now turn the dial down. A defense program office runs it at the Sovereign tier; a commercial CISO runs the same binary at Bolt-on or Regulated for a SOC 2, PCI-DSS, or HIPAA workload — and inherits the same moat: a CNSA SHA-384 seal, the treaty enforced inside your own VPC, dual Recall you hold, a metadata-only audit trail. One product, one dial. The binary that passes in a SCIF, in your VPC — without the DoD price or complexity.

DoD IL5CMMC L2HIPAAPCI-DSS v4SOC 2ISO 42001GDPREU AI ActNIST 800-171FedRAMP DoD IL5CMMC L2HIPAAPCI-DSS v4SOC 2ISO 42001GDPREU AI ActNIST 800-171FedRAMP

"Not in your cloud" is the deal every regulated buyer kills today. Legation is the answer — and it ships with the security questionnaire already filled out.

A sealed, governed conduit into any VPC.
One dial: commercial bolt-on → DoD sovereign.

Endless cargo — agents, MCP, QA, A2A, any app. One conduit, built once, to a higher bar than anything else.

Explore the architecture → See the compliance posture