The market

Every regulated deal hits the same wall:
"Not in your cloud."

Software is going into production in regulated companies right now — and the buyer says the data can't leave their environment. Same wall, top to bottom: a DoD program office demanding a SCIF-grade posture and a commercial CISO guarding a SOC 2 / PCI / HIPAA boundary kill the deal with the identical sentence. The vendor's choice today: rebuild their whole stack on-prem (they can't) or walk away (they do). Legation gives them a third option: ship as-is, wrapped.

Two segments, one product

The herd is the market. The DoD is the halo.

SegmentFrameworksDeliveryRole
The herd — volumeSOC 2 · HIPAA · PCI-DSS · ISO 42001 · GDPR · EU AI ActManaged BYOC VPC (their account, their keys)revenue + growth
Sovereign — haloDoD IL5 · CMMC · air-gapShipped software (they run it)margin + credibility

The volume is in the regulated commercial herd. The DoD tier is the trust anchor that closes the commercial sale — nobody selling into healthcare or fintech has a DoD-hardened governance story. You do. And it's one product on one dial: the same envelope, dialed from Sovereign down to Regulated or Bolt-on. The commercial buyer inherits the DoD-grade moat — CNSA SHA-384 seal, in-VPC treaty enforcement, dual Recall — with the tier setting the floor for their framework, not the IL5 label or the IL5 price.

What actually closes the deal

Three things a CISO needs. Legation has all three.

End of the questionnaire

A pre-built audit package collapses a six-week security review into a document. You sell de-risking, not software.

A kill switch they hold

The customer can sever the deployment unilaterally — and the operator cannot override it. The single sentence that relaxes a CISO.

Their account, their keys

BYOC: it runs in the customer's own VPC, on their KMS keys, inside their boundary. Sovereignty by construction.

Six commercial verticals

The evidence pack is the vertical-specialization layer.

Same product. Flip the framework, flip the vertical. Two are open land-grabs — new law, no incumbents.

PCI-DSS

Fintech & payments. Card data never persists; "test security regularly" is satisfied by QA-in-VPC.

HIPAA

Healthcare & health-tech. "Minimum necessary" = only projections ever cross the membrane.

GDPR

Anything EU. Data-flow inversion is data-minimisation; residency is structural.

EU AI Act ⚡

Everyone deploying AI in the EU. New law, enforcement ramping, zero deployment-governance answers in market.

ISO 42001 ⚡

Enterprises formalizing AI governance. The first AI management standard — they're just starting to certify.

SOC 2

The default enterprise trust bar. The whole TSC maps to the envelope's mechanisms.

The wall is universal, simultaneous, and unsolved.

That's the best possible time to sell infrastructure.

How it works →