§ Security & Trust
Verify us. Don't trust us.
A company whose product is proof should not ask for faith. Our receipts are independently verifiable, our policy engines deny by default, and our security posture is stated plainly — including what we have not yet certified.
§ 01
Proof you can check without us
The core security property of the platform is that you do not have to take our word for anything a receipt asserts.
Cryptography
Ed25519-signed receipts
Every decision receipt is signed with Ed25519. Tampering with the evidence, the policy results, or the verdict invalidates the signature.
No trust required
Independent verification↗
Anyone can verify a receipt against our published keys — no account, no API key, no dependence on Summit being honest or even online.
Enforcement
Deny-by-default policy engines
Policy evaluation starts at DENY. An action receives authority only when every applicable rule affirmatively admits it — silence is refusal, not consent.
§ 02
Infrastructure hygiene
Unglamorous, continuous, and non-negotiable.
- ▸Databases bound to localhostData stores are not exposed to the network. Access is mediated by the application layer; there is no direct database surface to attack.
- ▸Vulnerabilities triaged to zeroDependency vulnerabilities are triaged continuously and driven to zero, not left to accumulate in a backlog.
- ▸Secret scanningAutomated secret scanning runs across our repositories to prevent credentials from ever reaching the codebase.
- ▸Signed artifactsBuild artifacts are cryptographically signed, so what runs in production is provably what was built.
§ 03
Where we stand, stated plainly
Early-stage honesty is part of the security posture.
Status
Certifications
We do not currently claim SOC 2 or similar third-party attestations. Security review materials — architecture, controls, and practices — are available to prospective customers under NDA. Ask, and we will show you the real state of things.
Report a vulnerability
Responsible disclosure
Found something? Email brian@summitcognitive.ai with the subject line SECURITY. We acknowledge reports within two business days, and we do not pursue good-faith researchers.