Skip to documentation

Security architecture

Security controls, data flow, and evidence boundaries.

How Tensor Cortex authenticates requests, constrains routing, handles credentials and content, records decisions, and fails when a required control is unavailable.

Evidence: repository-verified controls

Source reviewed:

Current assurance status

The controls below are implemented and exercised by the current product repository. Production-host TLS, backup-media access, penetration testing, and customer-environment rehearsal remain deployment-specific evidence gates. Tensor Cortex does not currently claim SOC 2, ISO 27001, an independent security audit, or a completed penetration test.

The governing security invariant

A model failure never becomes a data-boundary failure. Identity, application, data class, and published policy determine the compliant deployment set before cost, latency, or health can rank it. Fallback reuses that compliant set. Once a response stream starts, provider switching is disabled.

Request data flow

The request path separates browser or application identity, policy evaluation, credential execution, provider egress, and durable evidence. A component receives only the authority and data needed for its role.

  1. 01 Client and ingress

    OIDC session or scoped service-account key; bounded headers and body.

  2. 02 Policy and route

    Identity, data class, trust zone, capability, health, and budget are evaluated in order.

  3. 03 Credential execution

    The selected credential is resolved for execution and is not returned through the control API.

  4. 04 Approved provider

    Only a policy-approved fixed endpoint receives the minimum request content required.

  5. 05 Decision evidence

    Route, attempt, usage, and audit metadata join on one request ID without content by default.

Default data handling

Default handling for major Tensor Cortex data classes
Data Default Control boundary
Gateway prompt and response Request memory only Absent from route, audit, logs, traces, and metrics by default.
Workspace conversation history Off by default When enabled, content is envelope-encrypted and bound to an organization retention deadline.
Route, attempt, usage, and audit records Durable metadata Role- and application-scoped; joined by a generated request ID.
Provider credentials Encrypted secret or opaque reference Write-only through Control; the active version is resolved only on the execution path.
Browser session Server-side session with opaque cookie Secure, HttpOnly, SameSite cookie; browser identity is never trusted as a tenant selector.

Retention is explicit, not universal

Tensor Cortex does not publish one retention period that silently applies to every deployment. Content history is disabled by default. If encrypted content retention is enabled, its deadline and review permission are organization-scoped. Metadata, backup, and support retention are bound to the approved deployment and agreement. Public-website handling is described separately in the Privacy Policy.

Fail-closed behavior

No valid configuration

The Gateway is not ready and no provider request is made.

Credential resolver unavailable

No provider request is made; the caller receives a safe error and the system attempts to record the outcome.

Required audit unavailable

Restricted or explicitly fail-closed requests stop before provider execution.

Private deployment unavailable

Only another compliant private candidate may be attempted; otherwise the request is denied.

Provider fails after streaming starts

The stream ends with an observable error. Tensor Cortex does not continue the answer from another provider.

Unknown or stale tenant state

Unknown, expired, disabled, revoked, or unsupported authorization state cannot become an allow decision.

Threat boundaries

The repository threat model covers identity and sessions, tenant scope, service accounts, policy evaluation, credential egress, storage, audit, backups, browser content, and shared-cloud edge state. Four controls remain release-blocking:

  • Server-side authority: browser fields, hostnames, slugs, headers, and provider keys never select a tenant by themselves.
  • Private-only routing: cost, latency, retries, and fallback cannot widen the policy-approved trust boundary.
  • Secret and content isolation: credentials and retained content use separate encrypted, organization-bound paths.
  • Content-negative observability: logs, traces, metrics, queues, and ordinary support artifacts exclude prompt and response bodies.

How to read the evidence

Repository verified

Executable tests cover authentication, authorization, tenant scope, SSRF, secret leakage, private-only fallback, audit behavior, and browser security headers.

Deployment verified

Actual ingress TLS, restored backups, environment credentials, provider behavior, load, and rollback must be proven for the release environment.

Independent assurance

No certification, external audit, penetration-test completion, customer validation, or production-scale evidence is claimed today.

Report a security issue

Send a concise description, affected surface, reproduction steps, and potential impact. Do not include live secrets or customer content.

security@tensorcortex.com