Built for the compliance bar of regulated capital.
Vendor-onboarding teams, ask away. Below is the public posture for code-signing identities, integrity manifests, compliance status, vulnerability disclosure, and our data sub-processors.
Code-signing identities
Every Dominion artifact is signed before publication. Match the publisher names below against the signature you see in the OS install dialog.
- Apple Team ID
ANOMA1Y9X4- Apple Developer ID Application
Developer ID Application: ANOMALY INNOVATIONS, INC. (ANOMA1Y9X4)- Apple Developer ID Installer
Developer ID Installer: ANOMALY INNOVATIONS, INC. (ANOMA1Y9X4)- Windows publisher
CN=ANOMALY INNOVATIONS, INC.- Signing service (Windows)
- Azure Trusted Signing — endpoint published in release notes per build.
- Linux integrity
- deb / rpm / AppImage are unsigned by AWS but accompanied by a GPG-signed
SHA256SUMSdetached-signature file at the integrity link below.
Release integrity
Every release ships a SHA256SUMS file and a GPG-signed counterpart. Verify before you install — IT auditors expect it.
- Latest stable manifest
- https://downloads.siganalytica.com/manifests/stable.json
- Latest beta manifest
- https://downloads.siganalytica.com/manifests/beta.json
- SHA256SUMS (per release)
- https://downloads.siganalytica.com/releases/v1.0.0/SHA256SUMS (replace
v1.0.0with the version you're verifying). - GPG public key
- Download (.asc)
- GPG fingerprint
4A4F 8B9A 1E5C 9D9D 2F4B 6F78 3C9E 8A1D 0F12 ABCD- Verify command
gpg --verify SHA256SUMS.gpg SHA256SUMS && sha256sum -c SHA256SUMS
Compliance
Public posture; full reports under MNDA. Ask the address below.
- SOC 2 Type II
- In progress — observation period began 2026-04-01. Type I report available now.
- ISO/IEC 27001
- Roadmap; certification target 2026 H2.
- GDPR / DPA
- DPA available on request from legal@siganalytica.com.
- Data residency
- Backend data in AWS ap-south-1 (Mumbai). Customers needing EU/US residency: enterprise contract path.
- Local-first stance
- Dominion runs spreadsheets, filings, and run artifacts on the operator's machine or VPC by default. Telemetry is opt-in only.
Vulnerability disclosure
Reports are triaged within one business day.
- Disclosure address
- security@siganalytica.com
- PGP key for sensitive reports
- Download (.asc)
- Expected initial response
- ≤ 1 business day; severity-rated remediation plan within 5 business days.
- Safe-harbor
- We do not pursue legal action against good-faith research that respects this process.
Data sub-processors
Where your data lives when you opt to share it with us.
- Cloud
- Amazon Web Services (ap-south-1)
- DNS / CDN edge
- Cloudflare — DNS only for downloads.siganalytica.com (no proxy)
- Email transactional
- AWS SES
- Customer support
- Email-only; no third-party ticketing for compliance reasons
- Analytics
- First-party only; no third-party trackers on customer-facing surfaces
Authentication & access
How operators sign in and how Dominion devices are activated.
- Sentinel IAM
- Multi-tenant identity provider behind every Sig Analytica product. SSO + SCIM available on enterprise plans.
- License JWTs
- RS256 signed by Sentinel's OIDC keypair; verified by the desktop app against the public JWKS endpoint.
- Desktop downloads
- Every binary download is a one-shot CloudFront signed URL minted by Sentinel after session + tier + quota checks. URLs expire in 5 minutes.
- Audit trail
- Every license issuance, device activation, device revocation, and download is recorded to the immutable `audit_logs` table and exposed to the operator in their Sentinel /dominion → Compliance tab.
Move from scattered signals to capital-ready decisions.
Sig Analytica connects market research, relationship context, and deal workflows into one operating layer for private capital teams.