Security architecture

Cryptographically verifiable records, designed with clear limits.

DocGovernance records digests, events, signed receipts, and evidence packages. Uploaded documents, AI prompts, webhook payloads, brand assets, and custom-domain inputs are treated as untrusted data.

Implemented controls

SHA-256 digest registration, Ed25519 signed receipts in current evidence flows, HTTP-only cookies, Helmet security headers, per-organization ownership fields, offline verifier packages, and support for hash-only custody mode.

Trust limits

Verification confirms bytes, digests, signatures, event continuity, and package integrity when those checks are present. It does not prove factual truth, legal admissibility, or external timestamp availability.

Key management state

The repository still contains file-backed development signing providers for existing flows. Production deployments should move to a managed key provider and fail closed when insecure providers are selected.

Responsible disclosure

Security reports should go to the configured security contact in security.txt. Do not include secrets, private customer records, or raw document contents in reports.