Security

Authority’s security model — fail-closed enforcement, decision precedence, and structural placement at the action boundary — is described on the product page. This page covers the deployment architecture, data handling, supply chain integrity, compliance readiness, and vulnerability disclosure.

Deployment Architecture

Authority — enforcement, policy evaluation, delegation verification, time and revocation evidence resolution, and receipt generation — operates within the customer environment, deploying as an SDK wrapper, tool boundary, or local enforcement service. The decision path does not leave the customer trust boundary.

Observatory and optional analytics services may run in Ambit Systems-managed infrastructure. These services are read-oriented — they do not participate in enforcement decisions.

Data Handling

Authority (customer environment). Governance metadata, evidence records, policy and delegation state, revocation state, and runtime-attestation material remain within the customer environment. Ambit Systems does not access this data unless explicitly granted access for support purposes. Action requests are evaluated in real time, and application payloads are not retained beyond the evaluation window. Retention is configured by the customer; the default is governance metadata and evidence records only.

Observatory (Ambit Systems-managed, where applicable). Where Observatory runs in Ambit Systems infrastructure, it ingests receipts and governance metadata synced by the customer. Application payloads are not ingested. Retention and access controls are governed by the Order Form.

Where fields are redacted for privacy, the omission is visible via explicit redaction markers — not missing keys. Privacy is an explicit configuration: what is stored, hashed, redacted, and retained is a first-class governance decision.

Supply Chain Integrity

Authority runs inside the customer trust boundary, so release integrity and dependency provenance are governance-relevant. Dependencies are reviewed prior to inclusion.

Compliance Readiness

Authority produces decision records tied to the policy version, delegation chain, authenticated evaluation time, and revocation evidence in effect at decision time. The evidence model is designed for audit and regulatory inquiry — not to replace your compliance programme, but to provide the technical records it depends on. Because Authority is deployed within your environment, enforcement and evidence remain within your audit boundary — supporting your own compliance obligations (SOC 2, ISO 27001, APRA CPS 234, and similar frameworks).

Certification status will be published here when available.

Reporting A Vulnerability

Security vulnerabilities should be disclosed responsibly to security@ambit-systems.com. We acknowledge disclosures within 2 business days and coordinate a remediation timeline with the reporter.

Security Advisories

Ambit Systems publishes security advisories for confirmed vulnerabilities in Authority or its dependencies. Customers on active support receive direct notification. For Ambit Systems-managed Observatory deployments, affected customers are notified of confirmed security incidents per the timeline agreed in their Order Form.

If your organisation has security or compliance questions, contact us to discuss requirements under NDA.