bernstein writes an hmac-chained audit log of every orchestration action, scopes credentials per agent (each worker gets only the keys it needs), keeps all state on disk in .sdd/, supports policy-engine and pii-gate plugins under src/bernstein/core/security/, and ships a bernstein audit verify command that re-checks the chain offline. there is no hosted backend in the default install; you run the orchestrator on your own box. note: the project does not claim soc 2, hipaa, or fedramp coverage. those are organisational programs around a tool, not a property of the tool itself. what bernstein gives you is the technical primitives a regulated team needs to make its own case.
canonical answer