01 Live security posture

Security architecture

Current cryptographic and infrastructure configuration. Claims link to implementation.

TLS grade
A+
Render TLS termination · HTTPS enforced · HSTS
Encryption at rest
AES-256-GCM
Per-save 12-byte IV · per-tenant key prefix · versioned keychain
Encryption in transit
TLS 1.2+
Render termination · Neon PostgreSQL SSL required
KMS provider
Render Env Secrets
STURNA_ENCRYPTION_KEY + AUDIT_HMAC_KEY injected at runtime
Post-quantum crypto
ML-KEM-1024
Hybrid: ML-KEM-1024 + AES-256-GCM · 1568-byte KEM ciphertext
Audit log retention
365 days
TTL index enforces cleanup · WORM: no UPDATE/DELETE allowed
Cryptographic controls summary
Control Implementation Status Evidence
State encryption AES-256-GCM, 12-byte random IV per operation Active src/lib/secure-sturna-checkpointer.js
Audit log signing HMAC-SHA256, deterministic canonical payload, verified on every read Active src/lib/audit-logger.js
Post-quantum key exchange ML-KEM-1024 + AES-256-GCM hybrid · 0.98ms avg perf Active src/lib/secure-sturna-checkpointer.js §PQ
Zero-trust agent tokens HS256 + per-tenant HMAC rotation (30d) · 5-min TTL Active services/zero-trust-token-service.js
Audit log immutability PL/pgSQL trigger blocks UPDATE/DELETE on compliance_audit_log Active migrations/046_*.js
Tenant isolation Per-tenant Redis key prefix · cross-tenant throw + audit event Active src/lib/redis-checkpointer.js
Key versioning keyVersion field on every STATE_SAVED event · rolling rotation Active audit log keyVersion field
Live pilot signal
active pilot workspaces with team members reviewing compliance outputs
Live count from pilot_workspace_members table · updates on page load
Loading…
02 SOC 2 Type II

Compliance program status

Real status. Observation period started 2026-05-03. Type II requires 90–180 days of operating evidence. Not complete — target Q4 2026.

SOC 2 Type II — Observation Period 1 of 1
Auditor: Not yet engaged · Target: 2026-11-01 · Compliance platform: Drata (recommended, trial not yet started)
In observation
Day 3 of 180 ~1.7% complete

Observation started 2026-05-03T07:40:00Z. The security architecture (Type I — design) is complete. Type II proves it operates correctly over the observation window. No certification exists yet — this tracker reflects where we actually are.

CC6.1 Logical Access Controls
CC6.6 Encryption in Transit & At Rest
CC7.2 System Monitoring
CC8.1 Change Management
~
CC6.1 gap Access provisioning policy — In progress Q3 2026
~
CC7.4 Incident response policy — In progress Q3 2026
~
CC8.1 gap GitHub branch protection — In progress Q3 2026
~
CC7.2 gap Datadog HMAC failure alerts — In progress Q3 2026
03 Live HMAC audit-log verifier

Verify Audit Chain

Paste any Sturna thread ID from a Transparency Card or audit log reference. Server-side HMAC recomputation proves chain integrity without exposing keys. GRC reviewers: download the PDF report to attach to your audit file.

🔐
HMAC Audit-Chain Verifier
Server recomputes HMAC-SHA256 for every entry — no trust required, math verifies
Audit chain entries

Calls /api/trust/verify?sessionId=<id> — retrieves audit entries, recomputes each HMAC server-side, returns match verdict per entry. A mismatch = tampered row. No HMAC key is exposed to the client. Rate limited to 10 verifications/min.

Powered by PostgresAuditSink — append-only, HMAC-SHA256 signed, PL/pgSQL tamper-prevention triggers.

03b Live integrity stats

Audit log health

Real-time aggregates from the live compliance_audit_log table. Cached 5 minutes. Integrity score below 100% would be a production incident.

Total audit entries
All HMAC-signed log records
Integrity score
% entries with valid HMAC
Oldest entry
Proves continuous operation
Retention policy
WORM — append-only, no UPDATE/DELETE
Last entry written
Most recent log activity
Jurisdictions covered
What does integrity score mean? The server samples the 100 most recent audit entries and recomputes each HMAC-SHA256 signature server-side. Comparing stored vs recomputed — any mismatch indicates post-write tampering. 100% = all entries intact. PL/pgSQL triggers block UPDATE/DELETE at the DB level as defense-in-depth.
04 EU AI Act conformity

Article-by-article attestation

Sturna maps its architecture against EU AI Act Articles 10–15 (High-Risk AI obligations). Full Article-by-Article analysis available at the readiness tool. Below: Sturna's own posture on each key obligation.

Article 10
Data and data governance
Addressed

ComplianceClassifier tags PII/MNPI inline. Hard MNPI reject. Per-tenant data isolation enforced.

Article 11
Technical documentation
In progress — Q3 2026

Architecture doc + data-flow diagram drafted. Formal Annex IV package in progress.

Article 12
Record-keeping
Addressed

Append-only HMAC-signed audit log. WORM enforcement. 365-day retention. SEC 17a-4 aligned.

Article 13
Transparency
Addressed

Triple-Gate verification. GSAR grounding. Citations traced to source on every output.

Article 14
Human oversight
Addressed

Hallucination-blocked events recorded. Budget exhaustion stops intent. Human review path available.

Article 15
Accuracy & robustness
Addressed

MARCH verification gate. §13A GSAR adversarial regeneration. Post-quantum crypto. Self-healing router.

Full Article-by-Article Checklist
113 articles analyzed — Sturna's posture mapped to each obligation
View full checklist →

EU AI Act Articles 10–15 enforcement begins Aug 2, 2026. All operators of High-Risk AI systems in regulated verticals must demonstrate conformity before that date.

05 Uptime & incident log

Last 90 days

No greenwashing. Dips included, fixes documented.

90-day uptime
99.1%
Excluding scheduled maintenance windows
Incidents (90d)
4
2 P1, 1 P2, 1 P3 — all resolved
MTTR
~47 min
Mean time to recovery across all incidents
Incident log — last 90 days
2026-05-01
OpenAI proxy crash loop — service degraded
LLM proxy entered crash loop after upstream API change. Intent execution degraded (~40% error rate). Fix: Proxy client reset on 429, exponential backoff added, startup self-test added to /health. Root cause: missing retry logic on proxy 429 responses.
P1 · 68 min
2026-04-18
Actuarial vertical 502 under concurrent load
Concurrent pilot load from /dogfood testing caused 502s on actuarial, medical, family-office, and pilots endpoints. Fix: DB connection pool increased, intent execution queue depth reduced. 4 intermittent 502 windows total.
P1 · 31 min
2026-04-02
vs-ChatGPT 429 rate-limit with no fallback
Rate-limit condition with no fallback caused persistent STURNA-DOWN alerts. Status: Known P0 — OPENAI_BASE_URL fix required. Route returns degraded responses while fix is pending.
P0 · Ongoing
2026-03-15
Memory verification degraded — embedding backfill blocked
Memory verification at 0% recall@5. Blocked by OPENAI_BASE_URL configuration gap preventing embedding generation. Status: Degraded — fix in progress with proxy team.
P0 · Ongoing
Feb–Apr 2026
All other systems — operational
No incidents affecting core intent execution, audit logging, compliance classification, or security controls. All 8 launch URLs green.
Operational
06 Evidence packet

Downloadable due-diligence materials

Standard enterprise procurement documents. Current status noted. Email security@polsia.app for the complete ZIP or to request a security questionnaire.

📋
Security questionnaire (CAIQ Lite)
Cloud Security Alliance CAIQ Lite pre-fill — email to request
Available on request
🗂️
Data-flow diagram
Tenant data paths, encryption boundaries, sub-processor touchpoints
In progress — Q3 2026
🔬
Penetration test summary
Scheduled Q3 2026 — no pen-test completed yet
Scheduled — Q3 2026
📜
BAA / DPA template
Business Associate Agreement + Data Processing Agreement templates
Available on request
🛡️
SOC 2 readiness assessment
Full Type II readiness doc including gap analysis and control mapping
Available now
📊
Compliance audit log export
Live evidence export via API — HMAC-signed JSON bundle for Drata
Live API

Live audit evidence bundle: GET /api/compliance/evidence-export/bundle (admin key required). Formatted for Drata Custom Connection daily pull.

07 Sub-processors & data residency

Actual list, actual regions

Every service that processes tenant data. No omissions.

Sub-processor Purpose Data region Data type processed DPA
Neon Primary database (PostgreSQL serverless) US-East (AWS us-east-1) Intent data, audit log, tenant config Available
Render Compute / hosting US-West (Oregon) Application runtime, env secrets Available
Upstash Redis Encrypted state storage (per-tenant) US-East-1 AES-256-GCM encrypted agent state Available
OpenAI (via Polsia proxy) LLM inference US (OpenAI data centers) Intent text, agent prompts (no PII policy enforced upstream) Pending
Polsia (proxy) OpenAI proxy routing & cost tracking US LLM request routing (no content storage) Available
Stripe Payment processing US Payment metadata only — no financial instrument data stored Available
Postmark Transactional email US Email addresses, notification content Available

All tenant data remains in US regions. No cross-border data transfer to EU/EEA at this time. EU tenants requiring data residency in-region: contact us — roadmap item Q4 2026.