Security & trust
Security model
We make a specific claim: the security properties below are mechanical and inspectable, not promises. This page states them plainly; the Trust Center lets you watch them live; and Verify our claims shows you how to check them yourself.
What is true today
- Mutual TLS everywhere. Every device-to-platform connection is mutually authenticated; a device's identity comes from its verified certificate, never from a request body.
- No unsigned path. The only way an artifact reaches a workload is signed and verified on the device against a pinned anchor — the same in development and production, with no bypass flag.
- Offline roots. The keys that anchor the chain of trust are kept offline and used only in a deliberate ceremony; the delivery service holds only limited, online keys.
- Device keys never leave the device. Each device generates its own private key locally; the platform signs the public half and never sees the secret one.
- Append-only, hash-chained audit. Every meaningful action is recorded in a tamper-evident log; any break in the chain is detectable and exports are signed.
- Encryption at rest for the secrets the platform must store, and modern password hashing for accounts.
- Metadata only. The platform never inspects, copies or exports the contents your application processes.
What we do not claim
We are not agentless: a small agent runs on each device and does the verification, the atomic swap and the rollback. The "zero-integration" promise is about your application and model code, which you do not rewrite — not about the operating-system layer.
We do not claim certifications we do not hold. Where a control is on the roadmap rather than shipped, the relevant page says so in plain language. Nothing on this site is asserted ahead of the code.