SHA-256 Bundle Hashes
When policies compile, the platform generates a unique SHA-256 checksum representing the complete set of rules. Runtimes cross-check this hash prior to rule enforcement to confirm that no in-transit tampering occurred.
Security Statement. Enterprise-grade policy protection.
Last updated: May 22, 2026. This document details the security architecture, data protection controls, and compliance standards active across the Spctre platform.
Data Security
AES-256 & TLS 1.3
Encryption and data protection systems
Spctre employs defensive security configurations to safeguard your policy bundles, evaluation metrics, and administrative audit trails:
Encryption In Transit
All network communication with our hosted control plane, API endpoints, and decision gateways is strictly encrypted using TLS 1.3 (with TLS 1.2 as a minimum fallback). Perfect Forward Secrecy is enforced for all cipher configurations.
Encryption At Rest
Production databases, transaction records, backups, and file storage volumes are encrypted at-rest using industry-standard AES-256 algorithms. Encryption keys are managed through secure cloud hardware security modules (HSM) with automatic annual rotation.
Backup & Resilience
System databases are backed up continuously using point-in-time recovery configurations. Backups are stored in geographically isolated zones, encrypted with independent keys, and verified weekly for restoration readiness.
Integrity
Unalterable Ledger
Cryptographic policy signing and provenance
Policy injection is a major risk vector in autonomous systems. Spctre enforces rigid cryptographic controls to block unauthorized rule alterations:
Durable Commit History
All rule updates must originate from version control. Spctre links published policy bundles to specific git commit signatures, peer approval records, and verification simulation outputs.
No Direct Dynamic Injection
Our rule engine does not support arbitrary runtime string injection. All rules must be built into structured, signed bundles, preventing remote-code-execution (RCE) vectors via compromised rule files.
Access Controls
SAML & SCIM
Granular workspace isolation and identity management
Logical Tenant Boundaries
Organization resources operate in isolated workspace partitions. Dynamic access filters are applied at the database abstraction layer, rendering data from other workspaces completely invisible to active connections.
Enterprise Identity
Spctre Cloud supports SAML 2.0 single sign-on (SSO) and SCIM provisioning (Okta, Microsoft Entra, Google Workspace), letting you apply corporate password requirements, MFA, and centralized user deprovisioning.
Granular Token Scopes
Developer credentials and service accounts are restricted by role. A token assigned to capture runtime audit logs has no compile permissions and cannot read active policy bundle source code.
Response
Incident and vulnerability management
- Continuous security scanning is active across our application dependencies, container images, and infrastructure.
- System logs are aggregated in dedicated security log clusters, with anomalies triggering instant engineer alerts.
- We operate a secure vulnerability disclosures program at security@spctre.dev.
- Annual independent penetration tests are conducted by certified external security firms.
Audit
Compliance Certifications
- Our cloud hosting providers maintain compliance with SOC 2 Type II, ISO 27001, and HIPAA standards.
- Spctre generates detailed compliance exports ready for SOC 2 Type II audit examinations.
- Comprehensive administrative audit logs record all policy revisions, key updates, and login attempts.
- Dedicated data processing agreements (DPA) are executed with all enterprise clients.