Security

Trust is a first‑class product surface. ODIN Secure is designed so every critical action (ingress event, routed delivery, policy evaluation, envelope sealing, metered usage export) produces verifiable, cryptographically signed receipts that you can independently audit, export, and replay.

Zero blockchain dependencyDeterministic policyReplayable receiptsCryptographic export bundles

1. Architecture Overview

The platform is composed of modular services: Router (OSE), HEL Policy Engine, OPE Proof Envelope, and OMB Meter & Billing. Each module emits structured events to an internal append‑only event bus. Downstream cryptographic bundlers produce hash‑linked bundles (Merkle root style) signed with an Ed25519 private key whose public part is published in a rotating JWKS endpoint.

  • Each receipt references a parent hash creating a tamper‑evident chain.
  • Receipts are canonicalized (stable JSON ordering + UTF‑8) before hashing.
  • Bundle manifests include: version, root hash, signature, issuing key id, receipt index.
  • Exports can be re‑verified offline with only the JWKS snapshot + bundle file.

2. Cryptography

Algorithms

  • Signing: Ed25519 (libsodium / WebCrypto)
  • Hashing: BLAKE3 (preferred) or SHA‑256 fallback
  • Transit: TLS 1.3 enforced (AWS ALB + CDN edge)

Key Management

  • Keys stored in KMS / HSM boundary (AWS KMS multi‑Region)
  • Rotation: 90‑day rolling; old keys retained for verify‑only
  • JWKS caching TTL: 5m (client) with ETag / If-None-Match

We never expose private signing keys; all signing happens within ephemeral workers with short‑lived credentials.

3. Data Handling & Privacy

  • Data Minimization: We store only metadata required for reconciliation and verification; payload bodies optionally redacted / hashed.
  • Retention Controls: Plan‑based retention windows (7d, 30d, 90d, enterprise custom); automatic purge jobs with cryptographic gap detection.
  • Encryption: All at rest (AES‑256) via cloud provider managed keys; customer‑managed key option (roadmap).
  • Multi‑Tenant Isolation: Logical namespace + scoped key IDs; signature context includes tenant id to prevent cross‑tenant replay.
  • Redaction Pipeline: Pattern & classification based field scrubbing prior to persistence (PII/PHI patterns, configurable regex).

4. Infrastructure & Network

  • Immutable infrastructure deploys (image digests pinned, no SSH baseline).
  • Segregated VPC subnets for control plane vs. worker execution.
  • mTLS inside cluster; network policies restrict egress to allowlisted domains (HEL integration).
  • Web Application Firewall & rate limiting (token bucket per tenant + per key).
  • Automatic DDoS absorption at edge (provider global anycast).

5. Secure Development Lifecycle

  • All changes via PR with mandatory code review; branch protection on main.
  • Static analysis & dependency vulnerability scanning (SCA) on each commit.
  • Reproducible build artifacts with provenance metadata (SLSA‑inspired).
  • Secrets scanning & supply chain policy (disallow mutable latest tags).
  • Infrastructure as Code drift detection & daily reconciliation.

6. Vulnerability Disclosure

We operate a responsible disclosure program.

  • Email reports to security@odinsecure.ai with reproduction steps.
  • Acknowledge within 2 business days, initial triage within 5.
  • Coordinated disclosure timeline mutually agreed (usually < 30 days).
  • No legal action for good faith research meeting guidelines.

7. Compliance & Roadmap

Current Controls

  • Access logging
  • Key rotation policy
  • Least privilege IAM
  • Automated backups

In Progress

  • SOC 2 Type I readiness
  • Customer managed keys (CMK)
  • Signed SBOM exports

Planned

  • SOC 2 Type II
  • ISO 27001 mapping
  • FedRAMP Tailored exploration

8. FAQs

How do I verify a receipt bundle?

Download the bundle JSON + the JWKS document captured at export time. For each receipt: compute canonical JSON, hash, and compare to the index list. Finally verify the signature over the root hash with the matching key id.

What happens if a receipt is missing?

Gap detection fails the bundle integrity check; the root hash no longer matches and verification tooling flags the bundle as invalid.

Are payloads encrypted end‑to‑end?

Payload transport uses TLS 1.3. Optional application‑level encryption (envelope with recipient public key) is on the roadmap; today you can pre‑encrypt fields client‑side—hash / redact still preserved in receipts.

Questions, penetration test coordination, or security review requests: security@odinsecure.ai

PGP (coming soon) • Last updated 2025-08-26