> ## Documentation Index
> Fetch the complete documentation index at: https://docs.cf0.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Security and trust overview

> How cf0 earns analyst trust — data governance, observability, accuracy guardrails, citations, and compliance-ready audit trails across the platform.

For an analyst at a regulated firm to put their name on a cf0-generated report, four things have to be true. cf0 ships all four.

<CardGroup cols={2}>
  <Card title="Data governance" icon="database" href="/security/data-governance">
    Where data lives, what's stored, sub-processors, org isolation. No training on your data.
  </Card>

  <Card title="Observability" icon="activity" href="/security/observability">
    Every Lab turn fully traced — system prompts, tools, model I/O, render output. Visible to engineers and analysts.
  </Card>

  <Card title="Guardrails" icon="shield-check" href="/security/guardrails">
    Deterministic code computes the numbers. Sandboxes isolate execution. Schemas validate every output. Missing inputs refuse to be fabricated.
  </Card>

  <Card title="Citations and audit trail" icon="link" href="/security/citations-and-audit">
    Every figure traces to its source. Threads export as compliance-ready audit trails.
  </Card>
</CardGroup>

## The posture at a glance

| Concern                        | cf0's answer                                                                                                                                                                                                          |
| ------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| "Where does my data live?"     | Immutable storage as the canonical record, US region. AI inference inside cf0's cloud perimeter.                                                                                                                      |
| "Who else touches it?"         | A curated set of sub-processors covering identity, infrastructure, AI inference, and observability — see the [categories](/security/data-governance#sub-processors). The full vendor list is disclosed under the DPA. |
| "Will it train on my data?"    | No. Customer threads, documents, and reports never enter a training set.                                                                                                                                              |
| "Can I trust the numbers?"     | Math runs in deterministic code templates, not AI inference. Outputs pass through schema validation before they reach storage or the UI.                                                                              |
| "Can I audit a report?"        | Every figure has a numbered footnote linking to the Sources Table; threads export as compliance-ready audit trails.                                                                                                   |
| "What if a number is missing?" | cf0 surfaces the gap rather than inventing it. See the [refuse-to-fabricate doctrine](/security/guardrails#refuse-to-fabricate).                                                                                      |
| "What about hallucinations?"   | Numbers are sandbox-computed. Prose can still drift — citations make every claim traceable and challengeable.                                                                                                         |

## Sign in

For sign-in flow, organisation invitations, and recovery, see [Authentication](/security/authentication).
