Zero-Egress
Sensitive evidence never leaves your infrastructure. Only cryptographic commitments (hashes) are shared externally.
Security Model
GLACIS is designed with security as a foundational principle. This document describes the security model, threat assumptions, and cryptographic guarantees.
Security Principles
Defense in Depth
Multiple layers of security controls ensure no single point of failure.
Minimal Trust
Components are designed to require minimal trust in each other.
Cryptographic Integrity
All attestations are cryptographically signed and verifiable.
Threat Model
What GLACIS Protects Against
| Threat | Mitigation |
|---|---|
| Attestation forgery | Ed25519 signatures; only authorized sidecars can sign |
| Replay attacks | Epoch binding + monotonic counters |
| Data exfiltration | Zero-egress design; only commitments leave infrastructure |
| Tampering | Merkle tree ordering; any modification detectable |
| Unauthorized access | API key authentication; RBAC in dashboard |
| Man-in-the-middle | TLS 1.3 for all connections |
What GLACIS Does NOT Protect Against
| Threat | Responsibility |
|---|---|
| Compromised sidecar | Your infrastructure security |
| AI model attacks | AI provider security |
| Insider threats | Your access controls |
| Physical access | Your data center security |
Architecture Security
Component Trust Model
┌─────────────────────────────────────────────────────────────┐│ Trust Boundaries │├─────────────────────────────────────────────────────────────┤│ ││ YOUR INFRASTRUCTURE (You control) ││ ┌─────────────────────────────────────────────────────┐ ││ │ • Sidecar deployment │ ││ │ • API keys and secrets │ ││ │ • Network access │ ││ │ • Evidence storage (L2) │ ││ └─────────────────────────────────────────────────────┘ ││ ││ GLACIS SERVICES (GLACIS controls) ││ ┌─────────────────────────────────────────────────────┐ ││ │ • Witness service (epoch management) │ ││ │ • Receipt service (Merkle tree) │ ││ │ • Dashboard (compliance management) │ ││ │ • Receives only: commitments, metadata, proofs │ ││ └─────────────────────────────────────────────────────┘ ││ ││ AI PROVIDERS (Third-party) ││ ┌─────────────────────────────────────────────────────┐ ││ │ • OpenAI, Anthropic, etc. │ ││ │ • Process your AI requests │ ││ │ • Subject to their security practices │ ││ └─────────────────────────────────────────────────────┘ ││ │└─────────────────────────────────────────────────────────────┘Data Flow Security
┌─────────────────────────────────────────────────────────────┐│ Request/Response (Sensitive) ││ • Stays in your infrastructure ││ • Only commitment hash leaves │└──────────────────────────┬──────────────────────────────────┘ │ │ commitment = sha256(data) ▼┌─────────────────────────────────────────────────────────────┐│ GLACIS Services (Non-sensitive) ││ • Receives: commitment hash ││ • Cannot: reverse hash to get original data ││ • Can: verify proof mathematically │└─────────────────────────────────────────────────────────────┘Cryptographic Guarantees
Ed25519 Signatures
Every attestation is signed using Ed25519:
// Sidecar holds private keyconst signature = ed25519.sign( canonicalize(attestation), sidecarPrivateKey);
// Anyone with public key can verifyconst valid = ed25519.verify( canonicalize(attestation), signature, sidecarPublicKey);Properties:
- Non-repudiation: Sidecar cannot deny creating attestation
- Integrity: Any modification invalidates signature
- Forward secrecy: Past signatures remain valid if key compromised
SHA-256 Commitments
Commitments bind attestations to data without revealing it:
// Request commitmentconst requestCommitment = sha256(canonicalize({ model: 'gpt-4', messages: [...], timestamp: Date.now(),}));
// Evidence commitment (L2 only)const evidenceCommitment = sha256(canonicalize({ request: {...}, response: {...}, policyScores: {...},}));Properties:
- Binding: Commitment uniquely identifies the data
- Hiding: Cannot determine data from commitment
- Collision-resistant: Cannot find two inputs with same commitment
Merkle Tree Proofs
Attestations are ordered in a Merkle tree:
Root Hash / \ H(A+B) H(C+D) / \ / \ H(A) H(B) H(C) H(D) │ │ │ │ Att₁ Att₂ Att₃ Att₄Properties:
- Ordering: Attestations have definite sequence
- Inclusion proof: Prove attestation is in tree without full tree
- Tamper-evident: Any modification changes root hash
HMAC-SHA256 State Integrity
Conversation state in the wizard is protected:
const stateSignature = hmacSha256( canonicalize(conversationState), serverSecret);
// Verify on each requestconst valid = hmacSha256( canonicalize(receivedState), serverSecret) === receivedSignature;Authentication & Authorization
API Key Authentication
Authorization: Bearer glc_live_abc123...Key types:
| Prefix | Environment | Use |
|---|---|---|
glc_live_ | Production | Real attestations |
glc_test_ | Testing | Test attestations |
Bearer Token Authentication
Epoch-bound tokens for sidecars:
Authorization: Bearer wt_abc123...Properties:
- Issued by witness service
- Bound to specific epoch
- Cannot be used after epoch expires
- Cannot be used by different sidecar
Session Authentication
Dashboard uses session cookies:
- HttpOnly: Yes (prevents XSS access)
- Secure: Yes (HTTPS only)
- SameSite: Strict (prevents CSRF)
- Duration: 24 hours (configurable)
Role-Based Access Control
| Role | Permissions |
|---|---|
| Admin | Full access, user management, settings |
| Editor | Read/write controls, evidence, reports |
| Viewer | Read-only access to all data |
| API | Programmatic access per key scope |
Network Security
TLS Requirements
All connections require TLS 1.3:
- Strong cipher suites only
- Certificate pinning for sidecar → GLACIS
- HSTS enabled on all endpoints
Endpoint Security
| Endpoint | Protection |
|---|---|
api.glacis.io | API key + rate limiting |
witness.glacis.io | API key + epoch validation |
receipts.glacis.io | Bearer token + 7-phase validation |
app.glacis.io | Session + CSRF protection |
DDoS Protection
- Cloudflare DDoS protection on all endpoints
- Rate limiting per API key/session
- Automatic challenge pages for suspicious traffic
Data Protection
At Rest
| Data | Encryption |
|---|---|
| API keys | Argon2id hash |
| Passwords | Argon2id hash |
| PII fields | XChaCha20-Poly1305 |
| Sessions | Secure random tokens |
In Transit
- TLS 1.3 for all connections
- Certificate transparency logging
- HTTP Strict Transport Security (HSTS)
Audit Logging
All operations are logged:
interface AuditEntry { id: string; timestamp: number; organizationId: string; actorId: string; action: string; resource: string; details: Record<string, unknown>; ipAddress: string; userAgent: string;}Audit logs are:
- Append-only (immutable)
- Retained for 7 years
- Available for export
Compliance
SOC 2 Type II
GLACIS services are SOC 2 Type II certified:
- Security
- Availability
- Confidentiality
GDPR
For EU customers:
- Data processing agreement available
- EU data residency option
- Right to erasure supported
- Data export available
HIPAA
For healthcare customers:
- BAA available
- PHI never transmitted to GLACIS (zero-egress)
- Attestation commitments are non-PHI
Incident Response
Reporting Security Issues
Report security vulnerabilities to: security@glacis.io
We follow responsible disclosure:
- Acknowledge within 24 hours
- Investigate and fix
- Notify affected customers
- Public disclosure after fix
Security Updates
- Critical patches: Within 24 hours
- High severity: Within 7 days
- Medium/Low: Next release
Security Best Practices
For Sidecar Deployment
- Rotate secrets regularly: API keys, sidecar keys
- Use minimal permissions: Only required scopes
- Network isolation: Restrict sidecar egress
- Monitor access: Review audit logs regularly
- Keep updated: Apply security patches promptly
For Dashboard Users
- Strong passwords: 12+ characters, unique
- Enable MFA: When available
- Review access: Audit user permissions quarterly
- Secure endpoints: Use VPN for sensitive operations
- Session hygiene: Log out when done
Next Steps
Zero-Egress Design
Deep dive into the zero-egress architecture.
Encryption Details
Understand encryption algorithms and key management.