Current-state security boundary

Security posture claims should come with evidence.

Status: This page describes intended and currently visible security posture at a high level. It is not a final certification, penetration-test report, SOC 2 report, external-audit artifact, or SLA.

Access model

Production app routes require an authenticated session. Public routes are limited to marketing, sign-in, request-access, static trust pages, and health surfaces.

Session boundary

Protected pages redirect unauthenticated users to sign-in with a return path. Passkey ceremony completion remains a human/operator evidence lane until a production test identity is available.

Transport and headers

The web deployment uses production security headers including HSTS, frame restrictions, content-type protection, CSP, and permissions policy.

Data boundary

Tenant security posture and evidence data must remain tenant-scoped and redacted in operational artifacts. Do not publish secrets, credential material, or passkey challenge data.

Known open evidence lanes

External audit claims, final trust-center artifacts, live Sentry proof, manual passkey ceremony evidence, and authenticated tenant-data QA remain pending until validated artifacts exist.