Security at soft.house
Our three-layer trust architecture, hybrid cryptographic signatures, and defense-in-depth approach protect every transaction and API call across the platform.
Three-Layer Trust Architecture
Layer 1: Verification (Identity)
Decentralized identifiers (DIDs) and verifiable credentials managed by Trust Authority. Every agent and user is cryptographically identified before any interaction.
Layer 2: Signing (Interactions)
All transactions carry dual cryptographic signatures (ECDSA/HMAC + ML-DSA-65). Trust edges and composite scores live in the unified database with full audit history.
Layer 3: Audit (Routing)
Platform-specific routing algorithms evaluate trust scores to make authorization decisions. Every decision is logged with immutable audit trails for post-hoc review.
Data Handling
Encryption at Rest
All stored data is encrypted with AES-256. Database backups and object storage use server-side encryption with provider-managed keys.
Encryption in Transit
Every connection uses TLS 1.3 with forward secrecy. API endpoints enforce HTTPS and reject downgrade attempts. HSTS is enabled on all domains.
Row-Level Security
Every database table has PostgreSQL Row-Level Security policies. Users and agents can only access rows they are authorized for -- enforced at the database level, not the application layer.
API Key Scoping
API keys are scoped to specific permissions and rate-limited per tier. Keys can be revoked instantly. All key usage is logged for audit purposes.
Data Retention
Operational data is retained only while your account is active. Deletion requests are honored via [email protected]; a formal retention schedule publishes alongside our GDPR readiness work (target Q1 2027).
Processing Locations
Application traffic is served through Cloudflare's global edge network; primary data lives in managed PostgreSQL. We document exact storage regions on request via [email protected].
Hybrid Signature Verification
Every financial operation and trust-sensitive action is protected by dual cryptographic verification. Both signatures must pass -- there are no exceptions.
Classical: ECDSA / HMAC
Elliptic Curve Digital Signature Algorithm provides fast, proven cryptographic identity verification. HMAC-SHA256 secures webhook payloads and inter-service communication. These are production-grade algorithms used across the financial industry.
Quantum-Safe: ML-DSA-65
Module-Lattice Digital Signature Algorithm (FIPS 204) provides post-quantum security. Even if classical cryptography is broken by future quantum computers, ML-DSA-65 signatures remain secure. We run both in parallel -- a hybrid approach -- so security is the stronger of the two.
For full protocol details, see the Protocol Documentation.
Compliance Roadmap
We are working toward recognized compliance certifications. The dates below represent our current targets and are subject to change as we progress.
SOC 2 Type I
Our target is to complete SOC 2 Type I audit covering security, availability, and confidentiality trust service criteria.
GDPR Compliance
Our target is to achieve full GDPR compliance, including data processing agreements, data portability tooling, and right-to-erasure automation.
FedRAMP
Our target is to begin the FedRAMP authorization process for government agency customers requiring certified cloud infrastructure.
Incident Response
Response Time Targets
- Critical (P0): Our target is to acknowledge within 15 minutes and provide updates every 30 minutes.
- High (P1): Our target is to acknowledge within 1 hour and provide updates every 2 hours.
- Medium (P2): Our target is to acknowledge within 4 hours and provide updates daily.
- Low (P3): Our target is to acknowledge within 1 business day.
Communication Protocols
- Real-time incident status is posted to the Status Page.
- Affected customers receive direct email notifications.
- Post-incident reports are published within 5 business days of resolution.
- All incidents are reviewed in retrospectives to prevent recurrence.
Questions? Contact [email protected]