Security

Authority’s security model — fail-closed enforcement, decision precedence, and structural placement at the action boundary — is described on the product page. This page covers the deployment architecture, data handling, supply chain integrity, compliance readiness, and vulnerability disclosure.

Deployment Architecture

Authority — enforcement, policy evaluation, delegation verification, and receipt generation — operates within the customer environment, deploying as an SDK wrapper, tool boundary, or local enforcement service. The decision path does not leave the customer trust boundary.

Observatory and optional analytics services may run in Ambit-managed infrastructure. These services are read-oriented — they do not participate in enforcement decisions.

Data Handling

Authority (customer environment). Governance metadata, evidence records, and policy and delegation state remain within the customer environment. Ambit does not access this data unless explicitly granted access for support purposes. Action requests are evaluated in real time, and application payloads are not retained beyond the evaluation window. Retention is configured by the customer; the default is governance metadata and evidence records only.

Observatory (Ambit-managed, where applicable). Where Observatory runs in Ambit infrastructure, it ingests receipts and governance metadata synced by the customer. Application payloads are not ingested. Retention and access controls are governed by the Order Form.

Where fields are redacted for privacy, the omission is visible via explicit redaction markers — not missing keys. Privacy is an explicit configuration: what is stored, hashed, redacted, and retained is a first-class governance decision.

Supply Chain Integrity

Authority runs inside the customer trust boundary, so release integrity and dependency provenance are governance-relevant. Dependencies are reviewed prior to inclusion.

Compliance Readiness

Authority produces timestamped decision records tied to the policy version and delegation chain in effect at decision time. The evidence model is designed for audit and regulatory inquiry — not to replace your compliance programme, but to provide the technical records it depends on. Because Authority is deployed within your environment, enforcement and evidence remain within your audit boundary — supporting your own compliance obligations (SOC 2, ISO 27001, APRA CPS 234, and similar frameworks).

Certification status will be published here when available.

Reporting A Vulnerability

Security vulnerabilities should be disclosed responsibly to security@ambit-systems.com. We acknowledge disclosures within 2 business days and coordinate a remediation timeline with the reporter.

Security Advisories

Ambit publishes security advisories for confirmed vulnerabilities in Authority or its dependencies. Customers on active support receive direct notification. For Ambit-managed Observatory deployments, affected customers are notified of confirmed security incidents per the timeline agreed in their Order Form.

If your organisation has security or compliance questions, contact us to discuss requirements under NDA.