Hardware-bound keys
Root keys generated and sealed inside HSM or secure enclave. Never extractable, never visible to operators.
Defense in depth
Cryptographic, network, and runtime isolation enforced independently at every layer of the stack.
Continuous attestation
Every node continuously proves its runtime integrity. Drift detection in milliseconds, not weeks.
Audited & compliant
SOC 2 Type II, ISO 27001, FedRAMP-Moderate aligned. External penetration tests every quarter.
The Vessoul security model.
Three assumptions, all hostile. The network is adversarial. The operator is honest-but-curious. The cryptography of 2040 is on the horizon today. Every architectural decision is downstream of those three.
Threat: network adversary
Mitigation: end-to-end encryption, mutual attestation, no plaintext in transit.
Threat: malicious operator
Mitigation: hardware root of trust, ZK envelopes, operator can't read payloads.
Threat: post-quantum break
Mitigation: hybrid PQ signatures today, full PQ mode for sovereign deployments.
Threat: supply chain
Mitigation: reproducible builds, signed artifacts, SBOM published per release.