Enterprise Compress · Security

Banking-grade. Day one.

Three deployment tiers from Enterprise to fully air-gapped. SOC 2, HIPAA, ITAR and sovereign-cloud paths covered.

Request security whitepaper Schedule procurement call
3-Tier ArchitectureAir-Gap ReadyDilithium2 Post-Quantum0 HIGH / 0 MODERATE Vulns

Section 01

Three-tier architecture.

Tier 1

Standard

Standard enterprise deployment. Industry-grade encryption, cloud or on-prem.

Encryption

AES-256-GCM

Compliance

SOC 2 Type II

SLA

99.9%

Tier 2

Zero-Knowledge

Data never leaves your control. Customer-held keys. Encrypted at rest, in transit, in compute.

Encryption

Post-Quantum Kyber-1024

Compliance

HIPAAHITECH

SLA

99.99%

Tier 3

Air-Gapped

Complete physical isolation. No network egress. Classified-network compatible.

Encryption

Customer-controlled HSM

Compliance

ITARNATOSCISAP

SLA

Custom

Section 02

Bifrost: your data never leaves.

Engineered so it can't.

Bifrost is the single egress point of the container — mechanically enforced via Clippy lint rules for both HTTP and TCP traffic. No outbound call possible without explicit policy. No telemetry. No phone-home.

Banking-grade auth, day one

  • bcrypt-12 password hashing
  • CSRF protection on all state-changing endpoints
  • Hash-chained audit log (cryptographically linked)
  • Rate-limiting on auth endpoints
  • Session management with rotation

Section 03

Dilithium2 post-quantum updates.

Container updates ship as .aqpkg files, signed with Dilithium2 — a NIST Post-Quantum signature scheme. Tampering produces a verifiable cryptographic mismatch. Update integrity survives the quantum-computing transition without re-architecture.

Section 04

Vulnerability audit · v1.0.0-rc18.

0

HIGH severity

0

MODERATE severity

5

LOW (transitive)

Continuous scanning enforced in CI. Every release blocked on clean HIGH / MODERATE. The five LOW findings are transitive dependencies with no actionable remediation path.

Section 05

Air-gapped deployment checklist.

  1. 01No internet connection required at any point post-install
  2. 02No telemetry, no phone-home, no external calls
  3. 03All updates via signed .aqpkg files transferable on physical media
  4. 04Local audit log only, customer-controlled retention
  5. 05No third-party SaaS dependencies
  6. 06Compatible with classified-network deployment

Compliance team needs detail?

Security Whitepaper covers cryptographic primitives, threat model, audit-log format and the full Bifrost lint specification.

Request security whitepaper Schedule procurement call