Technical Architecture

← Back to How It Works

This page is for:

  • Security teams conducting vendor risk assessments
  • Compliance officers evaluating HIPAA/SOC 2 technical controls
  • Engineers integrating Tenet into existing infrastructure

All detection, encryption, and storage runs locally. This page documents exactly how.

Jump to:
01 Interception · 02 Detection · 03 Redaction · 04 Token Store · 05 Audit Trails · 06 HITL Gates · 07 Policy Bundles · 08 Local Architecture · 09 Limitations · 10 Compliance

01 — Interception

Implementation

  • Four-point interception covering all data ingress and egress paths in the Claude Cowork execution model
  • Pre-transmission redaction on ingress; detection-and-advisory on egress
  • Session Start hook: auto-starts server, injects policy context
  • PostToolUse hook behavior: detects but cannot redact — PHI in tool responses reaches Claude's context before Tenet can act
  • Task/subagent outputs are not currently scanned

02 — Detection

Implementation

  • DeBERTa v3 transformer (317MB ONNX) via ONNX Runtime
  • 512-token overlapping windows with 128-token stride
  • 12 structural regex patterns: IP addresses, VINs, NPIs, DEA numbers, MRNs, dates in every format
  • JSON key heuristics: semantic field name detection (mrn, ssn, patient_name)
  • Confidence scoring per entity type

03 — Redaction

Implementation

  • Standard mode: opaque placeholders [SSN_1], [EMAIL_2], [NAME_3]
  • Safe Harbor mode: implements §164.514(b)(2)(i) — ZIP → 3 digits, dates → year only, ages >89 → ≥90
  • Reversible de-identification with encrypted token storage
  • Session-scoped token mappings with AES-256-GCM and TTL-based expiration

04 — Encrypted Token Store

Implementation

  • Per-record AES-256-GCM with unique nonces
  • Key management: macOS Keychain primary, local keyfile with 0600 permissions as fallback
  • Session isolation prevents cross-session data leakage
  • Recovery requires same API key that created the tokens

Compliance Notes

SOC 2 CC6.1 (encryption at rest), CC6.5 (data retention), P3 (collection limitation)

05 — Audit Trails

Implementation

  • Dual SQLite + append-only JSONL output
  • PHI-exclusion via hardcoded forbidden-key processor
  • Queryable via API: session, entity, hook, date filters
  • Enterprise: WORM-compatible archival to S3 Object Lock
  • Configurable 6-year retention

Compliance Notes

HIPAA §164.312(b) audit controls via append-only logging with configurable 6-year retention
SOC 2 CC7.1 (monitoring), CC8.1 (change management)

06 — Human-in-the-Loop Gates

Implementation

  • Asymmetric broadening: “block” generalizes across contexts; “permit” stays narrow to the specific operation approved
  • Two-tier decision memory: session-scoped (TTL) + persistent (user-managed)

Compliance Notes

SOC 2 CC6.1, CC6.3 (logical access controls)

07 — Policy Bundles

Implementation

  • Named policy bundles with per-category detection config overrides
  • Extensible via custom tenets in JSON
  • Per-entity overrides: block SSNs while allowing redacted names within the same policy
  • HIPAA Minimum Necessary profile: 8 entity types, threshold 0.80
  • Prompt classification auto-routes entity types to matching policy

08 — Local-Only Architecture

Implementation

  • FastAPI on 127.0.0.1:19990 — loopback-only binding enforced at server level
  • Encrypted SQLite on-device at ~/.tenet/
  • Bearer token authentication on all PHI-sensitive endpoints
  • macOS LaunchAgent for auto-start
  • Model binary ships with app — no post-install download

Compliance Notes

SOC 2 P3 (collection limitation), P7 (TLS 1.2+ in transit), CC6.6 (network boundary)

09 — Known Limitations

Tenet is designed to be evaluated honestly. These are the current boundaries of the technical safeguard layer.

Area Limitation Mitigation
PostToolUse interception Detects but cannot redact tool output — PHI reaches Claude's context before Tenet can act Restrict PHI at the data source; pair with administrative safeguards
Subagent outputs Task/subagent outputs are not currently scanned Scope agentic workflows to non-PHI data paths
Detection accuracy Probabilistic — false negatives will occur for non-standard formats and domain-specific terminology Treat as one layer in a defense-in-depth stack
Physical safeguards Tenet does not manage device-level controls Enable FileVault full-disk encryption and screen lock
Multi-user monitoring Local-only architecture has no centralized audit aggregation Tenet Enterprise for org-wide deployment

10 — Compliance Notes

HIPAA Technical Safeguards (45 CFR §164.312)

Requirement Tenet Control Section
Access controls Bearer token auth on all PHI-sensitive endpoints 08
Audit controls Append-only JSONL, configurable 6-year retention 05
Integrity controls AES-256-GCM with per-record nonces 04
Transmission security Pre-transmission redaction; loopback-only binding 01, 08
De-identification Safe Harbor §164.514(b)(2)(i) transforms 03

SOC 2 Trust Services Criteria

Criteria Tenet Control Section
CC6.1 AES-256-GCM encryption at rest; HITL authorization gates 04, 06
CC6.3 Explicit user authorization for sensitive operations 06
CC6.5 TTL-based token expiration; session-scoped data 04
CC6.6 Loopback-only network binding 08
CC7.1 Structured audit trails with session/entity/hook filters 05
CC8.1 Append-only audit log for change management 05
P3 No PHI transmitted externally for processing 08
P7 TLS 1.2+ on all endpoints 08

Conducting a vendor security review?

We provide completed VSAs, penetration test summaries, and BAA templates for enterprise evaluations.

Contact us →