Back to REDLINE

IT Translation Pack v2 (CISO Edition)

The Procurement Packet That Survives A 300-Question Security Questionnaire

REDLINE deployment is not a multi-tenant cloud. The standard 300-question SaaS security questionnaire mostly does not apply. This packet is the substitute: topology diagram, in-transit cipher spec, mTLS / SAML / SSO support matrix, DLP and EDR allowlist template letters, cross-border compliance matrix. Hand it to the firm's CISO. Hand it to the carrier. Hand it to outside counsel. The audit clears in one meeting.

On This Page

1. Topology Diagram

The firm-side requirement is one outbound HTTPS connection from authorized workstations to legal.nohumannearby.com. No inbound port. No firm-side appliance. No third-party AI vendors or cloud middlemen in the inference chain.

FIRM SIDE Partner / Associate Browser (Chrome / Edge / Safari) Firm SSO / IdP Okta / Azure AD / Google SECURE TUNNEL HTTPS 443 - TLS 1.3 - mTLS pinned AES-256-GCM, X25519 KEX NHN-OPERATED NHN Regional Edge legal.nohumannearby.com Dedicated Inference Customer-scoped Hardware-isolated No third-party AI processors. No cloud middlemen. No multi-tenant pool.

2. In-Transit Cipher Suite Spec

Every byte between the firm workstation and the dedicated NHN-operated inference capacity is wrapped in TLS 1.3 with mutual authentication. The cipher suite is pinned, no downgrade, no opportunistic encryption.

LayerSpec
ProtocolTLS 1.3 (RFC 8446) only. TLS 1.2 and earlier are rejected at the edge.
AEAD CipherTLS_AES_256_GCM_SHA384 (preferred), TLS_CHACHA20_POLY1305_SHA256 (fallback)
Key ExchangeX25519 (Curve25519). Post-quantum hybrid X25519+Kyber768 in pilot on a customer-elected basis.
AuthenticationMutual TLS. NHN pins the customer-issued client certificate fingerprint at provisioning. Customer pins the NHN-issued server certificate fingerprint at SSO setup.
Certificate AuthorityCustomer's PKI for the client cert chain. NHN's PKI for the server cert chain. Cross-pinned at the edge.
Certificate LifetimeClient certs rotated annually. Server certs rotated quarterly. ACME automation on both sides.
Forward SecrecyEnforced. Every session uses a fresh ephemeral key exchange.
Session ResumptionPSK with at most 24-hour ticket lifetime. 0-RTT is disabled.

3. mTLS / SAML / SSO Support Matrix

Authentication flows through the firm's existing identity provider. NHN does not maintain a user store on the firm's behalf.

Identity ProviderSAML 2.0OIDCSCIMMFA Pass-ThroughConfig Link
OktaYesYesYesYesSetup guide on request
Azure AD / Entra IDYesYesYesYes (Conditional Access pass-through)Setup guide on request
Google WorkspaceYesYesYesYesSetup guide on request
Ping IdentityYesYesYesYesSetup guide on request
Generic SAML 2.0Yesvia OIDC bridgevia SCIM bridgePass-through to IdPGeneric SAML config template
On-Prem ADFSYesvia OIDC bridgevia SCIM bridgePass-throughADFS federation setup guide

4. DLP / EDR Allowlist Template Letter

For firms with strict outbound DLP and endpoint EDR controls, the legal.nohumannearby.com edge needs to be allowlisted at three places: the firm's outbound web proxy, the firm's EDR endpoint policy, and the firm's DLP egress inspector. The following template letter is the firm CISO's pre-filled artifact.

--- Template letter for the firm CISO --- To: Network Engineering Team, EDR Operations, DLP Policy Owner From: [Firm CISO] Re: REDLINE outbound allowlist for the M&A practice group Please apply the following allowlist entries to permit the M&A practice to use REDLINE (sovereign AI contract review). OUTBOUND DESTINATIONS (web proxy + firewall egress) Hostname: legal.nohumannearby.com IPv4 CIDR: 198.51.100.0/24, 203.0.113.0/24 (customer-scoped subnet pinned at provisioning) IPv6 CIDR: 2001:db8:nhn::/48 (customer-scoped subnet pinned at provisioning) Port: TCP 443 TLS / JA3 FINGERPRINT (firewall + EDR network telemetry) Client JA3: 51c64c77e60f3980eea90869b68c1a3c Server JA3S: 7714ff97f7f7c706e1d61a7fce4af3a3 (Both pinned at provisioning; rotated quarterly; current values delivered with the tunnel credentials) EDR ENDPOINT POLICY (CrowdStrike Falcon / SentinelOne / Defender for Endpoint) Signed binary: none (REDLINE has no firm-side binary; pure web client) Browser allowlist: legal.nohumannearby.com permitted in any DLP-supervised browser profile Sample CrowdStrike IOA suppression: Domain: legal.nohumannearby.com Suppress: NetworkConnect.OutboundConnection.HighRiskDomain (false positive on first-day deploy) DLP EGRESS INSPECTOR (Forcepoint / Symantec DLP / Microsoft Purview) Sample DLP policy exception (Forcepoint XML): <exception> <destination>legal.nohumannearby.com</destination> <tls-inspect>passive (mTLS pinned end-to-end)</tls-inspect> <file-classification>exempt (deal-room artifacts to vendor-operated sovereign AI)</file-classification> <justification>NHN dedicated infrastructure, no third-party AI processors</justification> </exception> LOGGING Network telemetry on this destination should be retained per the firm's standard outbound audit policy. NHN-side audit logs are also exportable to the firm SIEM via the forwarder spec at /physical-custody. Contact at NHN for any of the above: legal@nohumannearby.com

5. Cross-Border Compliance Matrix

Regional NHN-controlled compute nodes service jurisdictionally-scoped deal rooms. Routing is pinned at the residency intake form signed by the firm's privacy counsel before any document is ingested.

RegionResidency PostureTrustee Jurisdiction (SDMS)SLA
US-East / US-WestUS-domiciled processing only. No cross-border egress.Customer-elected trustee in US jurisdiction (default)Live, 99.95% uptime SLA
EU-Frankfurt / EU-AmsterdamEU-only processing. GDPR Article 44-50 compliant via local-entity ring-fence. Co-location provider has zero logical access.Customer-elected EU-domiciled trustee (default for EU firms)Available on enterprise contract
UK-LondonUK-only processing. Post-Brexit data residency clean.Customer-elected UK-domiciled trusteeAvailable on enterprise contract
APAC-Singapore / APAC-TokyoAPAC-only processing. PDPA / APPI compliance via local-entity ring-fence.Customer-elected APAC-domiciled trusteeOn request, Q4 2026 target

SDMS trustee model. The Sovereign Deadman Switch uses customer-elected trustees in different legal jurisdictions for threshold-key release, replacing the traditional third-party escrow-vendor model. Trustees hold key shares only; they do not host or operate any NHN infrastructure. Customer counsel selects the trustee roster at contract signing.

Full per-region playbook (including the residency intake form, the per-region audit-log schema, and the customer-counsel review materials) is in the Procurement Audit Pack.

Procurement Audit Pack Request

For the full procurement audit pack (named co-location facility roster, SOC 2 Type 2 reports under NDA, the residency intake form, the cipher rotation schedule, and the customer-side IOA suppression / DLP exception XML in editable form):

Email: legal@nohumannearby.com