{ "bomFormat": "CycloneDX", "specVersion": "1.5", "serialNumber": "urn:uuid:staffinity-sbom-ai-2026-05-12", "version": 1, "metadata": { "timestamp": "2026-05-12T00:00:00Z", "authors": [{ "name": "Staffinity LLC", "email": "security@staffinity.io" }], "component": { "type": "application", "name": "Staffinity Secure AI Agent Platform", "version": "2026.5", "supplier": { "name": "Staffinity LLC", "url": ["https://staffinity.io"] }, "description": "Fully managed enterprise AI agent platform deploying secure, compliance-ready AI agents inside Microsoft Teams and Slack for mid-market businesses.", "licenses": [{ "license": { "name": "Proprietary" } }], "externalReferences": [ { "type": "website", "url": "https://staffinity.io" }, { "type": "security-contact", "url": "https://staffinity.io/security" }, { "type": "documentation", "url": "https://trust.staffinity.io" } ] }, "properties": [ { "name": "sbom:generationContext", "value": "post-deployment" }, { "name": "sbom:aiGuidance", "value": "G7 SBOM for AI Minimum Elements (2026)" }, { "name": "sbom:intendedApplicationArea", "value": "Enterprise workplace AI agent — financial services, healthcare, legal, professional services" }, { "name": "system:dataUsage", "value": "Client data is never used to train AI models. Inference data is processed in dedicated per-client AWS accounts. Metadata is logged for audit purposes. No data is retained by AI model providers for training." }, { "name": "system:dataFlow", "value": "User (Teams/Slack) → Microsoft Bot Framework → Staffinity Orchestrator (ECS Fargate, client AWS account) → Staffinity Agent (ECS Fargate, client AWS account) → Anthropic Claude API (TLS 1.3, no retention) → Response returned to user" }, { "name": "system:inputOutputProperties", "value": "Input: text messages, file attachments (PDF, DOCX, XLSX, PPTX, images). Output: text responses, generated media. PII detection applied on both inbound and outbound." } ] }, "components": [ { "type": "application", "name": "Staffinity Orchestrator", "version": "2026.5", "description": "TypeScript/Node.js orchestration layer handling Microsoft Teams/Slack authentication, Entra ID RBAC, PII detection, rate limiting, and routing to the AI agent.", "supplier": { "name": "Staffinity LLC" }, "licenses": [{ "license": { "name": "Proprietary" } }], "properties": [ { "name": "infrastructure:runtime", "value": "AWS ECS Fargate (per-client dedicated account)" }, { "name": "infrastructure:region", "value": "us-east-2 (default); eu-central-1 (EU clients)" }, { "name": "security:accessControl", "value": "Microsoft Entra ID — role-based access via client Entra groups" }, { "name": "security:encryption", "value": "TLS 1.3 in transit; AES-256 KMS at rest" }, { "name": "security:rateLimit", "value": "30 requests/min + 200 requests/hr per user via Redis" }, { "name": "security:promptInjection", "value": "Content boundary markers wrap all external content; PII detection on inbound and outbound" }, { "name": "security:auditLog", "value": "Every interaction logged to DynamoDB (7-year TTL) + S3 WORM (SOC 2 COMPLIANCE lock)" } ] }, { "type": "application", "name": "Staffinity AI Agent (OpenClaw Gateway)", "version": "2026.5.7", "description": "OpenClaw-powered AI agent gateway providing tool execution, memory management, skills, and sub-agent orchestration.", "supplier": { "name": "Staffinity LLC" }, "externalReferences": [ { "type": "distribution", "url": "https://clawhub.ai" } ], "properties": [ { "name": "infrastructure:containerRegistry", "value": "Amazon ECR (per-client account); image scanning enabled (scanOnPush=true)" }, { "name": "security:imageScanning", "value": "ECR scan on every push; 0 CVEs on production images" } ] }, { "type": "machine-learning-model", "name": "Claude Sonnet 4.6", "version": "claude-sonnet-4-6", "supplier": { "name": "Anthropic, PBC", "url": ["https://anthropic.com"] }, "description": "Primary reasoning model. General-purpose large language model used for agent response generation, tool use, and multi-step reasoning.", "licenses": [{ "license": { "name": "Anthropic API Terms of Service", "url": "https://www.anthropic.com/legal/aup" } }], "externalReferences": [ { "type": "documentation", "url": "https://docs.anthropic.com/claude/docs/models-overview" }, { "type": "documentation", "url": "https://www.anthropic.com/research/claude-sonnet" } ], "properties": [ { "name": "model:producer", "value": "Anthropic, PBC" }, { "name": "model:type", "value": "Large Language Model (LLM)" }, { "name": "model:modality", "value": "Text, vision (image input)" }, { "name": "model:intendedUse", "value": "Enterprise workplace AI agent responses, tool use, document analysis" }, { "name": "model:knownLimitations", "value": "Context window limits; potential hallucination on factual queries; prompt injection susceptibility mitigated by Staffinity content boundaries" }, { "name": "model:trainingDataUsage", "value": "Staffinity client data is NOT used to train this model. Anthropic Enterprise DPA and GLBA addendum in place. Model weights are proprietary to Anthropic." }, { "name": "model:hashValue", "value": "NOT AVAILABLE — model weights are proprietary and not disclosed by Anthropic. This is a known limitation for hosted API models under G7 SBOM for AI minimum elements guidance." }, { "name": "model:license", "value": "Anthropic API Terms; Staffinity holds Enterprise DPA + GLBA addendum" }, { "name": "model:lineage", "value": "Claude family; successor to Claude 3 Sonnet. Trained by Anthropic." } ] }, { "type": "machine-learning-model", "name": "Titan Embed V2", "version": "amazon.titan-embed-text-v2:0", "supplier": { "name": "Amazon Web Services", "url": ["https://aws.amazon.com"] }, "description": "Embedding model used for RAG (Retrieval-Augmented Generation) knowledge base indexing and semantic search.", "properties": [ { "name": "model:producer", "value": "Amazon Web Services" }, { "name": "model:type", "value": "Text embedding model" }, { "name": "model:dimensions", "value": "1024" }, { "name": "model:intendedUse", "value": "Document embedding for pgvector RAG knowledge base" }, { "name": "model:trainingDataUsage", "value": "Client documents indexed for RAG are stored in dedicated per-client RDS pgvector instance. Not used to train the embedding model." }, { "name": "model:hashValue", "value": "NOT AVAILABLE — model weights are proprietary to AWS Bedrock." } ] }, { "type": "data", "name": "Client Knowledge Base (RAG)", "description": "Per-client document corpus indexed for retrieval-augmented generation. Populated from SharePoint, uploaded documents, and configured data sources.", "properties": [ { "name": "dataset:storage", "value": "Amazon RDS PostgreSQL 16 with pgvector extension (per-client dedicated instance)" }, { "name": "dataset:encryption", "value": "AES-256 KMS CMK (per-client key)" }, { "name": "dataset:retention", "value": "Retained for duration of client engagement; deleted on contract termination" }, { "name": "dataset:provenance", "value": "Client-owned documents sourced from SharePoint/OneDrive via Microsoft Graph API with delegated permissions. No third-party training data." }, { "name": "dataset:dataUsage", "value": "Used exclusively for retrieval during inference. Not used for model training. Not shared between clients." } ] }, { "type": "infrastructure", "name": "AWS Dedicated Client Account", "description": "Per-client dedicated AWS account provisioned via AWS Control Tower. Contains all compute, storage, networking, and encryption resources for that client.", "supplier": { "name": "Amazon Web Services", "url": ["https://aws.amazon.com"] }, "properties": [ { "name": "infrastructure:isolation", "value": "Physical account-level isolation — not logical partitioning. No shared compute between clients." }, { "name": "infrastructure:compute", "value": "AWS ECS Fargate (serverless containers)" }, { "name": "infrastructure:storage", "value": "Amazon DynamoDB (session/audit), Amazon S3 (WORM audit archive, media), Amazon RDS PostgreSQL (RAG)" }, { "name": "infrastructure:network", "value": "VPC with private subnets, NAT Gateway, Application Load Balancer (TLS 1.3, ELBSecurityPolicy-TLS13-1-2-2021-06)" }, { "name": "infrastructure:encryption", "value": "AWS KMS CMK per client, annual rotation; AES-256 at rest; TLS 1.3 in transit" }, { "name": "infrastructure:monitoring", "value": "AWS CloudWatch, GuardDuty (S3+malware protection), AWS Config (managed rules), CloudTrail (tamper-evident), CloudWatch Synthetics (uptime canaries)" }, { "name": "infrastructure:backup", "value": "AWS Backup — 3-tier: daily/35d, weekly/90d, monthly/1yr on DynamoDB; ElastiCache native 7-day snapshots" }, { "name": "infrastructure:certifications", "value": "SOC 2 Type II (AWS); ISO 27001 (AWS); FedRAMP (AWS)" } ] }, { "type": "infrastructure", "name": "Perplexity Sonar API", "version": "sonar-pro", "supplier": { "name": "Perplexity AI, Inc.", "url": ["https://perplexity.ai"] }, "description": "Web search capability used by AI agents for real-time information retrieval.", "licenses": [{ "license": { "name": "Perplexity API Terms of Service", "url": "https://www.perplexity.ai/hub/legal/api-tos" } }], "properties": [ { "name": "component:dataUsage", "value": "Search queries are sent to Perplexity for web retrieval. No client personal data is included in search queries. DPA in place." }, { "name": "component:dataRetention", "value": "Per Perplexity DPA — no client data retained for training." } ] } ], "vulnerabilities": [], "annotations": [ { "subjects": ["*"], "annotator": { "organization": { "name": "Staffinity LLC", "contact": [{ "email": "security@staffinity.io" }] } }, "timestamp": "2026-05-12T00:00:00Z", "text": "This SBOM for AI was prepared by Staffinity LLC in accordance with G7 SBOM for AI Minimum Elements guidance (2026), jointly published by CISA, NCSC (UK), BSI (Germany), ANSSI (France), ACN (Italy), CSE (Canada), NCO (Japan), and the EU Commission. Model hash values for hosted API models (Anthropic Claude, AWS Titan) are not available as the model weights are proprietary to the respective vendors — a known limitation documented in the G7 guidance for third-party hosted models. For security inquiries, contact security@staffinity.io." } ] }