Security

The finding travels. The patient record
stays where it lives.

Every architectural decision follows from one constraint: for health, financial, and minor-facing AI, the data cannot be centralised — not even for a compliance check. So the diagnostic travels to the data, and only the signed Evidence Record travels back.

Findings travel

The result crosses the boundary. The data never does.

Ed25519 signing

Every Evidence Record verifiable offline, by anyone

Role-bound review

Server-side checks; no one reviews what they cannot defend

Revocation at the next call

One action, and the agent stops — not at the next audit

Evidence Record — signing chainEd25519 active
Diagnostic runs in your perimeterMetric + declared threshold onlyEd25519 signEvidence Record →
check:art10_2f_proxy_discrimination
metric:demographic_parity_gap
value / threshold:0.031 ≤ 0.05
result:PASS
model_endpoint_sha256:9f3c…a17b (swap = new scan)
raw_data_included:false
signature_alg:Ed25519
verifiable_offline:true
Tenant isolation
Enforced at DB and API layer
RBAC — 9 roles
Server-side; never trusted from the client
Art. 12 audit log
Immutable · actor, input hash, override
Raw export
Off by default — a Wake carries records, not data

Security headers

X-Frame-Options:DENY
X-Content-Type-Options:nosniff
Permissions-Policy:camera=()

Security principles

Eight controls. On by default. Not configurable off.

Raw export is refused, not merely discouraged

No raw prompt, completion, retrieval corpus, model weight, clinical record, or financial record is exported. A diagnostic yields a signed Evidence Record — the finding. The raw-export flag is off by default, cannot be set from the browser, and is refused by the container itself.

Organisation isolation

Evidence, passports, visas, and decisions are isolated at the database and API layer. Nothing crosses an organisation boundary without an explicit, recorded act — a Wake, issued by a named person, to a named recipient.

Role-bound review

A reviewer sees only the decisions their role can defend. The DPO takes legal basis and special-category exposure; the CISO takes tools, credentials, egress, and logging. Every route enforces the check server-side — never in the client.

Evidence Records — signed and immutable

Every diagnostic result is signed with an Ed25519 key and cannot be amended after issue. A supervisory authority, a notified body, or a hospital's DPO can verify the signature offline — without re-running the check, and without trusting the issuer.

The decision log is the record

Every scan finding, passport issue and re-issue, visa grant, refusal, suspension, and revocation is written to an immutable log with actor, role, timestamp, rationale, and resource. AI Act Art. 12 requires the events be recorded; this is where they are recorded.

Keys and secrets

Signing keys, API keys, and webhook secrets live in the environment, never in the database or version control, and rotate without downtime. In a federated deployment the signing key never leaves your infrastructure at all.

Encryption in transit and at rest

AES-256 at rest, TLS 1.3 in transit. Webhook payloads are HMAC-verified before processing — and an entitlement activates only on a verified webhook event, never on a browser redirect.

Federated execution

Diagnostics run inside your perimeter — on-premise, in your VPC, or air-gapped. Only the signed Evidence Record crosses the boundary. For health, financial, and minor-facing AI, this is not a deployment option; it is the only lawful shape of the problem.

Evidence Records

The result is signed. The input is never transmitted.

A diagnostic run — in your perimeter or ours — produces one signed, immutable Evidence Record: the check, the runner and version, the parameters, the score, the result, and the model version it was run against. No input row, prompt, or document is included, and the record is bound to the model version so that a silent swap invalidates it.

1The diagnostic executes where the data lives
2The result is scored — check name, parameters, and score only
3The record is signed with an Ed25519 key held in your perimeter
4Only the signed record crosses the boundary; it attaches to the passport
5Any reviewer verifies it offline — no re-run, no trust in the issuer

Evidence Record — anatomy

record_id:ER-2026-FAIR-082
check:group_disparity (AI Act Art. 10)
model_version:sha256:9c1e… (binds the result)
score:0.94
result:PASS
raw_data_included:false
timestamp:2026-05-06T09:14:22Z
signature_alg:Ed25519
verifiable_offline:true

Security HTTP headers

X-Frame-Options:DENY
X-Content-Type-Options:nosniff
Referrer-Policy:strict-origin-when-cross-origin
Permissions-Policy:camera=(), microphone=(), geolocation=()

Software Bill of Materials

A machine-readable SBOM in CycloneDX or SPDX format is available to enterprise customers on request. Third-party package notices are maintained in THIRD_PARTY_NOTICES.md.

Security disclosures

Coordinated disclosure. We respond within 48 hours.

Next

Bring the architecture to your review board.

We will walk your CISO and DPO through the egress boundary, the signing chain, and the revocation path — line by line, against your own deployment constraints.