Security

All system components operate exclusively within your private network. Every service communicates internally — no external cloud calls are made during normal operation.

After initial deployment, the system has no internet dependency. It can run fully air-gapped, with no ongoing connectivity required.

The AI model runs on your own hardware. No queries, documents, or responses are transmitted to any external party, including Selvo Lab.

Selvo Lab has zero visibility into your deployment, your data, or how the system is used.

All traffic is encrypted in transit. HTTPS is enforced on all endpoints, with strict transport security headers that prevent protocol downgrade attacks.

Every server response includes security headers that prevent data exfiltration via content injection, block clickjacking, enforce content-type expectations, and restrict referrer information.

Governance policy artifacts are cryptographically signed before deployment. The production runtime verifies each signature before activation and fails closed if the signature is invalid or absent. Policy activation is atomic and concurrency-safe — partial or inconsistent policy states are not possible.

The production runtime is verify-only. It cannot create or sign new policies — all signing occurs offline, outside the production environment.

Every action performed through the system is automatically logged. Each record captures the acting user, the action performed, the targeted resource, the outcome, duration, source address, and timestamp.

A separate audit trail tracks all GDPR-relevant events: consent records, deletion requests, and data export actions.

The governance policy audit chain is append-only. Modification or deletion of audit records is blocked at the storage layer — records cannot be altered after the fact, even by administrators.

All audit logs are queryable by authorised administrators for compliance, investigation, and reporting purposes.

Every release undergoes automated vulnerability scanning across all dependencies — both server-side and client-side. High-risk vulnerabilities block the release from proceeding.

A mandatory release gate must pass before any change reaches production. Artifacts are promoted by immutable digest — once a release clears the gate, the artifact cannot be modified.

Runtime health checks and smoke tests run as part of every deployment to verify system integrity before traffic is accepted.

When a document is deleted, it is removed from all search indexes and the document ledger simultaneously. The document ledger is the authoritative source of truth — a deleted document cannot be re-introduced by system migrations or updates.

User account deletion is a hard delete. All associated sessions and data are removed through cascading constraints — no orphaned records remain.

Automated retention policies purge old sessions, logs, and data exports on a configurable schedule.

The system supports GDPR right-to-erasure and right-to-portability. Users can export a complete copy of their data before deletion. Retention periods are configurable per deployment to match your organisation's data governance requirements.