Security
A security posture you can reason about.
This page is intentionally concise. Request early access for detailed architecture documentation.
VPC-first deployment
Designed to run inside customer environments that require strong boundaries and minimal external dependencies. No required SaaS control plane.
Your keys, your signatures
All signatures (approvals, Evidence Binders) use ECDSA P-256 keys that you control, not vendor-owned material. You control the trust root.
Fail-closed behavior
If identity, policy, or approvals can't be validated, the safe outcome is to block rather than accept. No fallback to best-effort.
Architecture
What you control.
Customer-controlled
- Signing keys (ECDSA P-256)
- Policy bundles (OPA/Rego)
- Deployment infrastructure (your VPC)
- Evidence storage and retention
- Approval routing and channels
- Network configuration and egress rules
- Certificate authority and mTLS configuration
Vendor-provided
- Software binaries and updates
- Documentation and support
- Policy template library
Everything important is customer-controlled. The vendor provides software. The customer controls the keys, the policies, the infrastructure, and the evidence.
Security contact
For vulnerability reports or security questions:
Please include: affected endpoint or component, steps to reproduce, and impact assessment. We will acknowledge receipt within 2 business days.
Responsible disclosure
We welcome responsible disclosure. Guidelines:
- Do not access data beyond what is required to demonstrate the issue
- Avoid actions that could degrade service availability
- Do not disclose findings publicly until we have had reasonable time to address them
- If you're unsure whether a test is safe, email first