Security at the boundary.

11/11 is an enforcement system, not an observability tool. Security is not a feature bolted on after the fact, it is the entire premise: nothing executes without a verifiable authorization, and every decision leaves cryptographic evidence.

Security posture

Designed for environments that cannot trust by default.

Named cryptography

Ed25519 authorization signatures, SHA3-512 and BLAKE2b-512 audit chaining. The primitives are published, not implied.

Fail-closed by default

The runtime boundary denies when authorization, identity, or policy is absent. There is no implicit allow.

Multi-tenant isolation

Every request binds to a tenant. Policy, artifact, audit chain, and decision hash are tenant-scoped, with no cross-tenant leakage or replay.

Immutable lineage

Decisions are chained and persisted. Tampering breaks the chain and is detectable. Logs are not treated as evidence.

Public, reproducible proof

Health and proof endpoints are public. Independent reviewers can reproduce any published claim against the live control plane.

Post-quantum aware

The cryptographic enforcement model is designed with post-quantum readiness as an explicit forward requirement.

Source-code hygiene

Source repositories enforce automated secret scanning and push protection. Signing keys never leave the control plane; only public verification keys (JWKS) are published.

Tested and reviewed

Internal penetration testing and security due diligence have been completed, with ongoing review.

Regulated and sovereign environments

Built to support the controls these missions require.

Execution governance is designed to align with the control expectations of defense, healthcare, and financial operators, including HIPAA-aligned decision boundaries for clinical AI and an Execution Governance Profile mapped to the NIST AI Risk Management Framework.

  • Deterministic, auditable authorization on every action
  • Tenant isolation suitable for regulated and mission-critical compute
  • Evidence chain for post-incident reconstruction and audit

11/11 designs toward these frameworks; specific certifications and accreditations are pursued and disclosed independently. Nothing on this page asserts a certification not held.

Responsible disclosure

Report a vulnerability

Security researchers are welcome. Report suspected vulnerabilities directly to the team. We will acknowledge and coordinate remediation.