Security
A security posture you can reason about.
This page is intentionally concise. Request early access for detailed architecture documentation.
VPC-first deployment
Designed to run inside customer environments that require strong boundaries and minimal external dependencies.
Your keys, your signatures
All signatures (approvals, evidence binders) use ECDSA P-256 keys that you control, not vendor-owned material.
Fail-closed behavior
If identity, policy, or approvals can’t be validated, the safe outcome is to block rather than accept.
Security contact
For vulnerability reports or security questions, email: [email protected].
Please include: affected endpoint/component, steps to reproduce, and impact assessment.
Responsible disclosure
We welcome responsible disclosure. Do not access data beyond what is required to demonstrate the issue, and avoid actions that could degrade service availability for others.
If you’re unsure whether a test is safe, email first.