JIL Sovereign Technologies, Inc. · Deployment Document · JIL-DD-CUST-001
Everything your IT, identity, network, compliance, and procurement teams need to configure on your side before JIL Sovereign can go live in your environment. Hand this document to those teams as a single source of truth — every required + recommended action is itemized with the exact endpoint, ID, or document name.
Companion to JIL on Snowflake · Technical Design Document and JIL Cloud Architecture. Updated whenever a new external dependency lands.
Your identity provider becomes the authoritative source for who can sign into the JIL customer portal. We do not maintain a separate password store for federated users.
| Item | What you do | Status |
|---|---|---|
| SSO (OIDC or SAML 2.0) | Register JIL as a relying party in your IdP (Okta / Azure AD / Ping / Auth0). We accept either OIDC (/oauth/callback) or SAML 2.0 (POST-binding). We provide the metadata XML / OIDC discovery URL after contract. |
Required |
| SCIM 2.0 provisioning | Push user lifecycle events to JIL: create, update, deactivate. Endpoint: https://customer.jilsovereign.com/scim/v2/. We issue a bearer token per tenant. SCIM avoids "stale users" risk after employees leave your org. |
Required |
| Group-to-role mapping | Map your IdP groups to JIL roles: SIU_ANALYST, SIU_SUPERVISOR, COMPLIANCE_OFFICER, READ_ONLY_AUDITOR, TENANT_ADMIN. We send a worksheet — you fill in the group names from your directory. |
Required |
| MFA enforcement | JIL trusts your IdP's MFA decision. If your IdP requires MFA for the JIL app, we honor that. If not, JIL can enforce a step-up MFA on sensitive actions (Authorize Tier 2, sign CREB™) via WebAuthn. | Required |
| Session policy | Session lifetime, idle timeout, concurrent-session limits — we use your IdP defaults unless you specify overrides. | Recommended |
| Service account for SCIM | Create a non-human IdP account with permissions only to call SCIM. Rotate its bearer token quarterly. | Required |
If your network team operates an outbound firewall, allow-list the following hostnames + ports. All traffic is TLS 1.2+. PrivateLink alternatives are listed where they exist — prefer those for production.
| Destination | Hostname / endpoint | Port | Purpose |
|---|---|---|---|
| Snowflake (the data + attestation plane) | |||
| Your Snowflake account | <account-locator>.snowflakecomputing.com | 443 | Native data, T1 + AVA SQL, SPCS service-to-Snowflake calls |
| Snowflake account regional | *.<region>.snowflakecomputing.com(e.g., *.us-east-1.snowflakecomputing.com) | 443 | OAuth, regional metadata, internal Snowflake routing |
| Snowflake stage backend | *.s3.<region>.amazonaws.com (or Azure / GCS analog) | 443 | Stage uploads (PUT) + downloads (GET) for COPY INTO |
| Snowflake image registry | <account-locator>.registry.snowflakecomputing.com | 443 | SPCS docker push / pull |
| (Recommended) Snowflake PrivateLink | Per region — Snowflake provisions on request | 443 | Replaces public hostnames with VPC-local DNS — removes egress entirely |
| AWS Bedrock + SageMaker (LLM / model layer used by Ava agentic checks) | |||
| Bedrock runtime — us-east-1 | bedrock-runtime.us-east-1.amazonaws.com | 443 | Claude / Llama / Titan inference for Ava agentic Tier 1→2 routing |
| Bedrock runtime — us-west-2 | bedrock-runtime.us-west-2.amazonaws.com | 443 | Failover region for Bedrock |
| Bedrock model invoke | bedrock.us-east-1.amazonaws.combedrock.us-west-2.amazonaws.com | 443 | Model metadata + invoke (lower-rate APIs) |
| SageMaker runtime | runtime.sagemaker.us-east-1.amazonaws.com | 443 | Custom-model inference endpoints (when a tenant runs their own model) |
| SageMaker control plane | api.sagemaker.us-east-1.amazonaws.com | 443 | Endpoint management, autoscaling |
| STS (AssumeRole for tenant IAM) | sts.amazonaws.com | 443 | Cross-account role assumption when JIL writes to your S3 |
| (Recommended) AWS PrivateLink for Bedrock | bedrock-runtime-fips.<region>.amazonaws.com via VPC endpoint | 443 | Private connectivity, FIPS-compliant; HIPAA-eligible |
| JIL Sovereign hosts | |||
| Customer portal | customer.jilsovereign.com | 443 | SIU analyst UI |
| Customer API (proxy) | retail-api.jilsovereign.com | 443 | Auth + engagement API the portal calls |
| JIL marketing / docs | jilsovereign.com | 443 | Public docs, TDDs, status |
| Attestyx (per-tx integrity) | attestyx.com | 443 | Per-transaction Attestyx API (separate Global Hands 501c3 product) if customer subscribes |
| External data feeds (JIL calls these from inside SPCS once all-in; outside today) | |||
| SAM.gov exclusions API | api.sam.gov | 443 | Federal exclusion list refresh |
| OFAC sanctions service | sanctionslistservice.ofac.treas.gov | 443 | OFAC CSL XML feed |
| UN sanctions | scsanctions.un.org | 443 | UN consolidated sanctions XML |
| UK OFSI sanctions | ofsistorage.blob.core.windows.net | 443 | UK HMT sanctions XML |
| DOJ press releases | www.justice.gov | 443 | Healthcare-fraud press release JSON |
| Google Maps Platform | maps.googleapis.comaddressvalidation.googleapis.com | 443 | Premise classification (Places, Geocoding, Street View, Address Validation) |
https://ip-ranges.amazonaws.com/ip-ranges.json (filter by service=BEDROCK + region). For our hosts we publish a static IP allowlist at jilsovereign.com/.well-known/jil-allowlist.json (refreshed if Cloudflare rotates).
If you already have a Snowflake account (any edition), JIL can either share into your account or write to a tenant-isolated database in our account that you read. The choice has compliance + cost implications.
| Option | What you do | When to choose |
|---|---|---|
| A. BYO Snowflake (recommended for PHI) | You provide a Snowflake account locator + region. We share data into your account via Snowflake Data Sharing. Your account, your storage, your governance. | PHI processing · data residency requirements · existing Snowflake investment · single-pane analytics |
| B. Reader account on JIL Snowflake | JIL provisions a Reader Account inside our Snowflake instance. You log in to read findings. No data leaves our perimeter. | Pre-production demos · low-volume engagements · customers who don't yet have Snowflake |
| C. Hybrid (write back to your S3) | Findings sync from Snowflake to a customer-controlled S3 bucket via Snowflake external stage. Bring-your-own-bucket. | Customer prefers blob storage of record · downstream tools read from S3 |
abcdef-xy12345) and region.| Document | Between | Status |
|---|---|---|
| BAA (Business Associate Agreement) | Customer ↔ JIL Sovereign Technologies, Inc. | Required if PHI |
| BAA (separate) | Customer ↔ Snowflake (if Option A above) | Required if PHI + Option A |
| BAA (separate) | Customer ↔ AWS (Bedrock + SageMaker fall under AWS HIPAA-eligible services) | Required if PHI |
| MSA + SOW | Customer ↔ JIL Sovereign Technologies, Inc. | Required |
| Data Use Agreement | Customer ↔ JIL (specifies what JIL can do with customer data; default is "process for the customer's benefit only, no model training, no aggregation across tenants") | Required |
| SLA | Customer ↔ JIL (uptime, response, RPO/RTO targets per tier subscription) | Required |
| SOC 2 Type II report (from JIL to customer) | JIL provides under NDA | Recommended for InfoSec review |
| HITRUST CSF certification (from JIL to customer) | JIL provides certification details under NDA | Recommended for healthcare buyers |
| SIG / CAIQ vendor questionnaire | Customer issues — JIL responds (we maintain a current SIG-Lite + CAIQ v4) | Standard for procurement |
If your SIU intake / case-management system needs to ingest JIL findings programmatically, configure these endpoints on your side.
| Webhook event | Where you receive | Auth |
|---|---|---|
tier1.finding.created | Your endpoint — e.g., https://siu.uhg.com/api/jil/findings | HMAC-SHA256 signed payload (shared secret you provide); we sign every webhook |
ava.plan.issued | Same / different endpoint per your choice | Same HMAC scheme |
ava.plan.authorized | Notifies your governance team that a Tier 2 spend was approved | Same |
tier2.evidence.delivered | Per-case evidence pack arrival | Same |
tier3.creb.sealed | Court-Ready Evidence Bundle finalized + on-chain anchor confirmed | Same |
Retries: exponential backoff for 24 hours, DLQ after. Replay endpoint available on demand.
| Stream | Format | Destination options |
|---|---|---|
| Customer-portal access log | JSON (one event per line) | Splunk HEC · Sumo Logic Collector · Datadog · S3 + Athena · Kafka (your topic) |
| API audit trail | JSON, includes IP, user, action, evidence ref | Same |
| Authorize-action events | JSON, includes PO# / Customer Agreement # | Same |
| Tier 1/2/3 attestation receipts | JSON with content hash + on-chain anchor (if Tier 3) | Same |
| JIL platform health events | JSON, severity-tagged | PagerDuty / Opsgenie webhook · Slack / Teams · Email |
Status page subscription: status.jilsovereign.com — your team subscribes for incident notifications. Webhook hookup to your incident-management system available.
| Item | What you provide | Effect |
|---|---|---|
| Custom subdomain | e.g., jil.uhg.com — you create a CNAME to customer.jilsovereign.com | Customer portal under your domain |
| TLS certificate | We can manage via ACME on the CNAME, or you can provide | Cert ownership is your call |
| Tenant logo + accent color | SVG + hex color | Renders top-left of portal for your users |
| Login screen co-branding | Your logo + "Sign in with <your IdP>" button text | Reinforces SSO journey |
| Email-from address | e.g., jil-alerts@uhg.com via DKIM/SPF delegation | System emails from your domain |
A typical enterprise deployment from contract-signature to first production batch — assuming the customer can move at standard enterprise procurement velocity.
| Phase | Duration | Critical path on customer side |
|---|---|---|
| Week 1 | BAA + MSA + SOW execution | Procurement, legal, InfoSec sign-off |
| Week 1-2 | Snowflake setup | If BYO: account provision + share acceptance; if reader: just user provisioning |
| Week 2 | SSO + SCIM setup | Identity team registers JIL as SP + configures SCIM push |
| Week 2 | Network whitelisting | Network team adds the egress allow-list (Section 02) |
| Week 2-3 | Webhook + SIEM integration | Engineering team builds the webhook receiver + log forwarder |
| Week 3 | First production batch ingestion | Customer provides claim data (CSV / Snowflake share / S3) — JIL runs T1 in ≤ 4 hours from receipt |
| Week 3-4 | First AVA plan reviewed + first Tier 2 authorization | SIU analyst signs into the portal, reviews the plan, authorizes |
| Week 4+ | Steady state | Daily / weekly / per-engagement cadence per the SLA |
Your JIL deployment touches at least five of your internal teams. We provide a named lead for each.
| Your team | JIL counterpart | What they coordinate |
|---|---|---|
| Procurement / Legal | JIL Deal Desk | MSA, BAA, SOW, DPA, SLA |
| InfoSec / GRC | JIL Security | SIG questionnaire, SOC 2 / HITRUST review, penetration test scope |
| Identity / IAM | JIL Solutions Engineering | SSO, SCIM, group mapping, MFA policy |
| Network / Cloud Ops | JIL Solutions Engineering | Egress allow-list, PrivateLink, regional configuration |
| Data Engineering | JIL Data Engineering | Snowflake share, S3 stage, data residency, schema mapping |
| SIU / Compliance Officers | JIL Customer Success | LOB profile, engagement onboarding, recurring cadence, playbook |