GRAYPASSDOC/TRUST-01
Trust,
documented.
What we collect, what we keep, what we deliberately never store, and where our compliance work stands. No badges we haven't earned; everything here is the current, honest state of the system.
I. SECURITY POSTURE
Salted, not stored
Behavior collapses into a salted print. The print is what we keep; the behavior does not persist.
Encrypted at rest
Templates and helper data sit behind envelope encryption. A database spill gives an attacker nothing usable.
Cancelable templates
If anything ever leaks, the seed rotates. Identity stays; the template behind it is replaced in minutes.
Replay-hard
Server-driven schedules with jittered timing. Macros and remote-takeover tooling cannot fake the cadence.
Auditable decisions
Every accept or deny carries calibrated confidence and a human-readable reason. Nothing happens in silence.
Consent-led
Raw signals are not collected by default. Opt-in research data is double-encrypted and revocable on request.
FULL THREAT MODEL AND ATTACK WALKTHROUGHS: SECURITY DOCUMENT
II. DATA HANDLING
COLLECTED IN-SESSION
- Pointer dynamics (timings)
- Typing cadence (timings only, never content)
- Scroll rhythm
STORED
- Salted behavioral print (small vector)
- Decision log with reason codes
- Per-user salts
NEVER STORED
- Raw behavioral streams
- Typed content
- Static biometric images of any kind
DATA RIGHTS
- Erase on request
- Consent-led research data
- Seed rotation on demand
III. COMPLIANCE STATUS
Our control set and supporting evidence are available to review under NDA.
Data minimization, purpose limitation, and erase-on-request are built into the pipeline rather than bolted on.
TLS 1.3 in transit with HSTS and per-request nonces; envelope encryption at rest for templates and helper data.
We support customer-led security reviews and will schedule walkthroughs with your security team.
IV. RESPONSIBLE DISCLOSURE
Found something? Email hello@graypass.org with the subject “Security disclosure.” Reports go directly to the founders; we acknowledge within two business days and keep you informed through the fix.
Security teams get the deep walkthrough.
Threat model, data flow, controls: we make time.