Sectum AI vs Securiti

TL;DR. Securiti is the leading data-privacy / DSPM platform — the Data Command Center for safe use of data and AI. It owns the GDPR data-subject-rights workflow end to end (intake, routing, deletion-script generation, fulfilment, audit). Securiti themselves acknowledge in their public materials that GDPR Article 17 erasure from AI is hard: organizations must ensure that the data’s “influence on the AI model is minimized as much as possible.” That last clause is what Sectum AI verifies. Sectum AI’s Class 11 (GDPR Article 17 erasure verification) is the technical attestation layer for the workflow Securiti orchestrates. The two products are natural complements.

The two products

Securiti (securiti.ai)

Category: Data Privacy / DSPM (Data Security Posture Management) / PrivacyOps. The “Data Command Center” — unified data intelligence, controls, and orchestration across hybrid multi-cloud and SaaS.

Key capabilities (per Securiti’s own materials):

GDPR data-subject-rights automation — access, rectification, erasure, restrict processing, portability, objection — across the customer’s full data estate.
AI governance — explicitly addresses the GDPR-meets-AI problem.
Auto-generates deterministic data-deletion scripts for precise erasure handling.
Data discovery + classification + access intelligence + governance across cloud / SaaS / on-prem.

Pricing: not public; enterprise sales motion.

Buyer: CPOs, DPOs, privacy ops at enterprises managing privacy programs at scale.

Sectum AI (sectum.ai)

Category: multi-tenant AI verification — specifically, post-erasure attestation that the AI stack is clean is the flagship engagement.

License: Apache 2.0 OSS core; Sectum Cloud commercial. The evidence layer in the OSS produces the same artifacts the hosted product does — by design.

Class 11 — GDPR Article 17 erasure verification:

Provisions synthetic tenants and plants cryptographic canary markers per tenant.
Confirms each target tenant’s HARD_CANARY markers are present across all configured surfaces (pre-erasure baseline).
Triggers / awaits the customer’s erasure flow.
Re-scans every surface for any residual marker.
Itemizes residual-marker counts per surface: vector DB, tracing, agent memory, semantic cache, model / fine-tune adapters, search index, eval set.
Produces a tamper-evident attestation pack (PDF + JSON + in-toto envelope, RFC 3161 timestamped, Sigstore Rekor logged).

What Securiti acknowledges, and where Sectum AI picks up

Securiti’s own GDPR-and-AI page addresses the hard part of Article 17 directly:

“Individuals have the right to request that all their data in possession of the organization be erased, essentially allowing them to be ‘forgotten.’ However, in the AI context, this presents a unique problem since organizations must scramble to ensure the appropriate erasure from their training datasets being used to improve AI models, and they must also ensure that their influence on the AI model is minimized as much as possible.”

The last clause — minimizing the data’s influence on the AI model — is exactly what Sectum AI verifies, with cryptographic attestation, across every configured AI surface. The full workflow looks like:

Step	Owned by
1. DSR intake — customer requests Article 17 erasure	Securiti
2. Triage — identify which data systems hold the customer’s data	Securiti
3. Routing — push deletion requests to each system owner / orchestrate	Securiti
4. Deletion-script generation — auto-generate scripts for primary data stores	Securiti
5. Fulfilment — run the deletion scripts	Customer’s systems
6. AI-surface verification — confirm no residual marker on vector DB / tracing / agent memory / semantic cache / fine-tune adapters / search index / eval set	Sectum AI
7. Attestation — produce a tamper-evident pack the DPO can hand to a regulator	Sectum AI
8. Close the ticket — record fulfilment in the DSR system of record	Securiti

The boundary is precise: Securiti owns the legal-process workflow; Sectum AI owns the technical AI-surface attestation. Neither overlaps the other.

The categorical difference

	Securiti	Sectum AI
Category	Data Privacy / DSPM / DSR automation	Multi-tenant AI verification
Layer	DSR workflow + data discovery + governance	Per-surface AI-isolation attestation
GDPR Art. 17 role	Orchestrates the request, generates deletion scripts, closes the ticket	Verifies post-deletion that no residual marker survives any AI surface, produces an attestation pack
Surfaces	Cloud data stores, SaaS, on-prem databases, data lakes	Vector DB, tracing, agent memory, semantic cache, model/fine-tune adapters, search index, eval set (the AI-specific surfaces Securiti doesn’t probe)
Evidence	Workflow audit logs + DSR fulfilment records	Tamper-evident attestation pack: RFC 3161 TSA + Sigstore Rekor + in-toto envelope + audit-pack PDF + `evidence.json`
Independent verification	Trust Securiti’s audit logs	`sectum-ai verify <pack>` — any third party, without Sectum AI
For	DPOs, CPOs, privacy ops	DPOs, CISOs, audit firms

Class 11 — what gets delivered

The Sectum AI GDPR Article 17 erasure attestation is a per-engagement deliverable. The contents handed to the DPO:

An attestation PDF with per-surface verdicts: ERASED (no residual) / RESIDUAL DATA (counts itemized) / NO BASELINE (surface had no markers to verify against).
A machine-readable evidence.json with per-finding marker_id, surface, owner_tenant, evidence_span (the actual residual data found, if any).
An in-toto attestation envelope + an RFC 3161 timestamp token + (optionally) a Sigstore Rekor inclusion proof — collectively, the cryptographic chain of custody.
A sectum-ai verify command the DPO or regulator can run on the pack to validate the chain end-to-end without Sectum AI in the room. Mutating a single byte makes verify exit 4 with [FAIL] lines explaining which check failed.
Per-finding control mappings: each residual marker carries OWASP LLM08:2025 + NIST AI RMF MEASURE 2.7. Article 17 / 32 mapped at the pack level.

For a DPO facing a regulator’s inquiry into Article 17 fulfilment on an AI surface, that pack is the artifact that closes the question.

When to use Securiti

You need to orchestrate DSR workflows end-to-end across a complex data estate (cloud / SaaS / on-prem).
You need data discovery + classification + access intelligence as the foundation for privacy operations.
Your DPO’s daily workflow is intake → triage → routing → fulfilment → close, and you want a platform built for that shape.
You need broad-coverage privacy program management — multi-regulation, multi-jurisdiction.

When to use Sectum AI

You’re already running Securiti (or another DSR / DSPM platform) for the workflow side, and you need to attest that the AI surface is clean post-deletion.
You’re facing a regulator’s inquiry about Article 17 on an AI product and need an independently-verifiable attestation pack, not a workflow audit log.
You operate a multi-tenant AI product and want to systematize the post-erasure verification as a one-time engagement or a continuous subscription.
You want per-finding cryptographic evidence (signed, timestamped, Rekor-logged) rather than a workflow record from your DSR vendor.

Honest positioning

Securiti and Sectum AI don’t compete. Sectum AI sits at the technical attestation end of the Article 17 workflow Securiti owns end-to-end. A Securiti customer with a multi-tenant AI product needs something like Sectum AI to close out Article 17 fulfilment on the AI surface — without it, the workflow ends with deletion scripts having run, but no cryptographically-attestable proof that the data’s “influence on the AI model has been minimized” in Securiti’s own words.

The two products own complementary, non-overlapping pieces of the same DPO’s workflow.

Pricing

Securiti — not publicly listed; enterprise sales.
Open Sectum (OSS) — free, Apache 2.0.
Sectum Cloud — see pricing.

References

Securiti — homepage, GDPR Compliance Solution, Aligning AI Systems With GDPR, Individual Data Rights, Impact of the GDPR on AI.
Sectum AI — GitHub, docs, Class 11 attack-catalog page, sample erasure attestation pack, compliance mappings.