Verdict
We’re looking for 2–3 design partners this quarter. Free pilot, your feedback, one quote.Apply →
← Back to home

Security

Deterministic. Auditable. Tamper-evident.

How Verdict keeps enforcement cryptographic, hash-chained, and free of LLMs in the critical path.

Proof of Authority (PoA)

Every APPROVED decision is signed with an Ed25519 key held by your Verdict instance. Your backend (e.g. refund API, email sender) can verify that a token was issued by Verdict before executing the action: call POST /poa/verify with the payload and token. No LLM is involved in signing or verification—purely cryptographic.

Public key: GET /poa/public_key (for offline verification).

Hash-chained audit log

Each audit entry includes previous_hash and entry_hash. Entry N’s entry_hash is the SHA-256 hash of (previous entry’s hash + canonical payload). This creates an immutable chain: any change to history breaks the chain and is detectable. Export as CSV, PDF, or Verifiable Credentials (VC) for regulators and insurers.

No LLM in enforcement

Authorization decisions are deterministic: same input (actor, action, metadata) always yields the same result. Policies are evaluated by a rules engine (built-in Python or OPA/Rego). No language model is called at decision time—so there is no prompt injection or model drift in the critical path. When a request is outside policy, it is ESCALATED to a human; the human’s approve/deny is then logged and optionally signed.

How Verdict prevents incidents

  • Single gate: All high-risk actions (refunds, bulk email, CRM edits, data deletion, permission changes) go through one API. No silent execution.
  • Policy-first: Refund over $50, email to 100+ recipients, VIP edits, high-priority ticket close, PII deletion, admin grants—all require policy allow or human approval.
  • Human-in-the-loop: When policy says no, the request is queued for a human. Your team approves or denies; the decision and latency are recorded.
  • Full trail: Every decision is in the audit log with hash chain. Export for compliance reviews and incident reports.

Reporting

Report security issues responsibly. See SECURITY.md in the repository for disclosure and contact.