GRAYPASSDOC/TRUST-01

Trust,
documented.

What we collect, what we keep, what we deliberately never store, and where our compliance work stands. No badges we haven't earned; everything here is the current, honest state of the system.

I. SECURITY POSTURE

01

Salted, not stored

Behavior collapses into a salted print. The print is what we keep; the behavior does not persist.

02

Encrypted at rest

Templates and helper data sit behind envelope encryption. A database spill gives an attacker nothing usable.

03

Cancelable templates

If anything ever leaks, the seed rotates. Identity stays; the template behind it is replaced in minutes.

04

Replay-hard

Server-driven schedules with jittered timing. Macros and remote-takeover tooling cannot fake the cadence.

05

Auditable decisions

Every accept or deny carries calibrated confidence and a human-readable reason. Nothing happens in silence.

06

Consent-led

Raw signals are not collected by default. Opt-in research data is double-encrypted and revocable on request.

FULL THREAT MODEL AND ATTACK WALKTHROUGHS: SECURITY DOCUMENT

II. DATA HANDLING

COLLECTED IN-SESSION

  • Pointer dynamics (timings)
  • Typing cadence (timings only, never content)
  • Scroll rhythm

STORED

  • Salted behavioral print (small vector)
  • Decision log with reason codes
  • Per-user salts

NEVER STORED

  • Raw behavioral streams
  • Typed content
  • Static biometric images of any kind

DATA RIGHTS

  • Erase on request
  • Consent-led research data
  • Seed rotation on demand

III. COMPLIANCE STATUS

SOC 2AVAILABLE UNDER NDA

Our control set and supporting evidence are available to review under NDA.

GDPR alignmentALIGNED BY DESIGN

Data minimization, purpose limitation, and erase-on-request are built into the pipeline rather than bolted on.

EncryptionIN PRODUCTION

TLS 1.3 in transit with HSTS and per-request nonces; envelope encryption at rest for templates and helper data.

Penetration testingON REQUEST

We support customer-led security reviews and will schedule walkthroughs with your security team.

IV. RESPONSIBLE DISCLOSURE

Found something? Email hello@graypass.org with the subject “Security disclosure.” Reports go directly to the founders; we acknowledge within two business days and keep you informed through the fix.

Security teams get the deep walkthrough.

Threat model, data flow, controls: we make time.