Operate

Security

Fidacy sits on the money path, so its security model is conservative by construction. The guiding rule: the system fails safe, proves everything, and isolates every tenant, at the database, not just the app.

Fail-safe by construction

The central invariant runs through the entire codebase: a fault, timeout, or unexpected error degrades to review and is persisted and audited, it never silently approves. Anonymous or hard-violating traffic can never be approved, even by the optional reasoning layer, even under concurrency or partial failure.

Cryptography

  • ·Risk Payloads are signed with EdDSA (Ed25519) and published as compact JWS. Anyone verifies them against the public JWKS at /.well-known/jwks.json by kid.
  • ·The private signing key is held only in the runtime secret store and never touches the database. The verify URL travels in the payload so verification needs no Fidacy round-trip.
  • ·Agent keys are identified by their RFC 7638 thumbprint; an embedded, unverified key is self-asserted and cannot earn trust, preventing key-confusion and forged-card attacks.

Tenant isolation

  • ·Every row is org-tagged and protected by row-level security (FORCE) so cross-tenant reads/writes are impossible even under an application bug.
  • ·The runtime connects as a least-privilege role, not the database owner. Cross-org discovery (for background workers) goes through narrowly-scoped functions that expose only ids, never data.

Keys & secrets

  • ·API keys are stored only as SHA-256 hashes; the raw value is shown once. Revocation is instant and takes effect on the next request.
  • ·Use least-privilege scopes per workload. Rotate keys on a schedule and immediately on any suspected exposure.
  • ·Secrets live only in your environment/secret manager, never in source control, logs, or screenshots.

Non-repudiable audit

Decisions are hash-chained per organization and sealed with Merkle anchors; UPDATE/DELETE are blocked at the database. The chain re-verifies offline from stored rows, so you can prove to an auditor or counterparty exactly what was decided, when, and on what evidence, the EU AI Act evidence standard.

Data handling

  • ·The optional reasoning layer receives only non-sensitive signals (scores, flags, codes), never raw PII or payment credentials.
  • ·Assessments store the structured signals needed to reproduce the verdict, not the user's payment instrument secrets.
Responsible disclosure. Found a security issue? Email security@fidacy.com with details and a proof-of-concept. We respond quickly and credit reporters.