Beta Early access — you're seeing this before public launch. Browse our books See terms of early access

Security at soft.house

Our three-layer trust architecture, hybrid cryptographic signatures, and defense-in-depth approach protect every transaction and API call across the platform.

Three-Layer Trust Architecture

Audit Signing Verification (Identity Core)

Layer 1: Verification (Identity)

Decentralized identifiers (DIDs) and verifiable credentials managed by Trust Authority. Every agent and user is cryptographically identified before any interaction.

Layer 2: Signing (Interactions)

All transactions carry dual cryptographic signatures (ECDSA/HMAC + ML-DSA-65). Trust edges and composite scores live in the unified database with full audit history.

Layer 3: Audit (Routing)

Platform-specific routing algorithms evaluate trust scores to make authorization decisions. Every decision is logged with immutable audit trails for post-hoc review.

Data Handling

Encryption at Rest

All stored data is encrypted with AES-256. Database backups and object storage use server-side encryption with provider-managed keys.

Encryption in Transit

Every connection uses TLS 1.3 with forward secrecy. API endpoints enforce HTTPS and reject downgrade attempts. HSTS is enabled on all domains.

Row-Level Security

Every database table has PostgreSQL Row-Level Security policies. Users and agents can only access rows they are authorized for -- enforced at the database level, not the application layer.

API Key Scoping

API keys are scoped to specific permissions and rate-limited per tier. Keys can be revoked instantly. All key usage is logged for audit purposes.

Data Retention

Operational data is retained only while your account is active. Deletion requests are honored via [email protected]; a formal retention schedule publishes alongside our GDPR readiness work (target Q1 2027).

Processing Locations

Application traffic is served through Cloudflare's global edge network; primary data lives in managed PostgreSQL. We document exact storage regions on request via [email protected].

Hybrid Signature Verification

Every financial operation and trust-sensitive action is protected by dual cryptographic verification. Both signatures must pass -- there are no exceptions.

Classical: ECDSA / HMAC

Elliptic Curve Digital Signature Algorithm provides fast, proven cryptographic identity verification. HMAC-SHA256 secures webhook payloads and inter-service communication. These are production-grade algorithms used across the financial industry.

Quantum-Safe: ML-DSA-65

Module-Lattice Digital Signature Algorithm (FIPS 204) provides post-quantum security. Even if classical cryptography is broken by future quantum computers, ML-DSA-65 signatures remain secure. We run both in parallel -- a hybrid approach -- so security is the stronger of the two.

For full protocol details, see the Protocol Documentation.

Compliance Roadmap

We are working toward recognized compliance certifications. The dates below represent our current targets and are subject to change as we progress.

Q4 2026

SOC 2 Type I

Our target is to complete SOC 2 Type I audit covering security, availability, and confidentiality trust service criteria.

Q1 2027

GDPR Compliance

Our target is to achieve full GDPR compliance, including data processing agreements, data portability tooling, and right-to-erasure automation.

Q3 2027

FedRAMP

Our target is to begin the FedRAMP authorization process for government agency customers requiring certified cloud infrastructure.

Incident Response

Response Time Targets

  • Critical (P0): Our target is to acknowledge within 15 minutes and provide updates every 30 minutes.
  • High (P1): Our target is to acknowledge within 1 hour and provide updates every 2 hours.
  • Medium (P2): Our target is to acknowledge within 4 hours and provide updates daily.
  • Low (P3): Our target is to acknowledge within 1 business day.

Communication Protocols

  • Real-time incident status is posted to the Status Page.
  • Affected customers receive direct email notifications.
  • Post-incident reports are published within 5 business days of resolution.
  • All incidents are reviewed in retrospectives to prevent recurrence.

Questions? Contact [email protected]