Security

Authority's security model — fail-closed enforcement, decision precedence, and structural placement at the action boundary — is described on the product page. This page covers data handling, compliance readiness, and vulnerability disclosure.

Data Handling

Authority is designed to minimise data exposure. It evaluates governance-relevant metadata at the action boundary and produces an append-only decision ledger of evidence records; it is not a data lake. Action requests are evaluated in real time, and application payloads are not retained beyond the evaluation window. Retention is configured per engagement. The default is governance metadata and evidence records only; application payloads are retained only if explicitly required.

Where fields are redacted for privacy, the omission is visible via explicit redaction markers — not missing keys. Privacy is an explicit configuration: what is stored, hashed, redacted, and retained is a first-class governance decision.

Compliance Readiness

Authority produces timestamped decision records tied to the policy version and delegation chain in effect at decision time. The evidence model is designed for audit and regulatory inquiry — not to replace your compliance programme, but to provide the technical records it depends on.

We do not hold independent certifications at this time. Certification status will be published here when independently verifiable.

Vulnerability Disclosure

Security vulnerabilities should be disclosed responsibly to security@ambit-systems.com. We acknowledge disclosures within 2 business days and coordinate a remediation timeline with the reporter. Incident communication protocols are provided to customers.

If your organisation has security or compliance questions, contact us to discuss requirements under NDA.