SENTINEL CLM
Security-first contract lifecycle management
Built for regulated industries and the defense supply chain: every contract encrypted, every action on an immutable audit trail, least privilege by default, CMMC 2.0 evidence as a byproduct of normal use.
Sign in →OIDC + MFA. First sign-in prompts a password change and authenticator enrollment.
Platform status
API operational · Zero-Trust core: authn, tenant isolation, deny-by-default authz, hash-chained audit log
Build roadmap
- Phase 0 — Secure foundationscomplete
- Phase 1 — Contract corecomplete
- Phase 2 — Vendor & riskcomplete
- Phase 3 — AI automationcomplete
- Phase 4 — Compliance & assessmentscomplete
- Phase 5 — Deployment & enablementcomplete
Now live
- Encrypted contract ingest — AES-256-GCM envelope encryption, per-tenant keys, malware-scanned, sandboxed parsing + OCR
- Sensitivity classification, row-level ABAC, and full-text search that never leaks across clearance
- Approval workflows — server-authoritative state machine, separation of duties, append-only decision log
- Vendor & third-party risk — onboarding, questionnaires, deterministic scoring, and a portfolio risk dashboard
- AI assistance through a single gated gateway — suggest-only, schema-validated, a human confirms every action
- Compliance — NIST 800-171 catalog, evidence collection, gap & POA&M tracking, derived immutable SPRS-style self-assessments, and sealed evidence-pack export
- Secure-by-default tenant provisioning — one command, MFA required, single-use rotating credential, per-tenant encryption, and audit active from action zero
- Per-tenant feature modules — server-enforced phased rollout (allowed + enabled), fail-closed, so capabilities expand without ever weakening a control
- Bulk migration tooling — resumable, reconcilable, contained-on-failure imports that reuse every ingest defense at scale, with no silent data loss
- In-app onboarding & help — guidance-only tutorials that reuse normal authz, plus safely-rendered tenant help content
- Infrastructure as code — a secure-by-default, tfsec-gated Terraform baseline (encryption, private networking, least-privilege IAM, audit logging) with a GovCloud/FedRAMP on-ramp