GRAYPASSDOC/SEC-01
A spilled database is
worth nothing here.
We don't store raw biometrics. We don't let the same secret protect two users. Every accept or deny carries a reason a human can audit. Security is the product, not a checkbox.
I. ATTACK LOG
Pick an attack and watch it run against your own live session. What an attacker sees, step by step, when they try the obvious routes.
Run an attack against your own session.
Pick one. The sandbox executes it against the live behavioral session this site has been keeping on you, and shows exactly where it dies.
simulation · runs locally · mirrors production reason codes
II. WHAT SURVIVES
The payload shrinks at every stage. Only the last artifact ever reaches disk, and it is worthless without its salt.
RAWsession only
The full behavioral stream. Lives in the browser, dies with the tab.
SALTper-user
Random per-user salt folds in. Same behavior, different print per site.
PROJECT44 floats
The stream collapses to a small deterministic vector.
STOREhash + helper
Only the salted projection is kept. This row is worthless without its salt.
III. PRINCIPLES
Salted, not stored.
Behavior collapses into a salted print. The print is what we keep. The behavior does not persist.
Encrypted at rest.
Templates and helper data sit behind envelope encryption. A database spill gives an attacker nothing usable.
Cancelable.
If anything ever leaks, we rotate the seed. Identity stays. The template behind it is replaced in minutes.
Replay-hard.
A recording is not a performance. Playback never matches a live read, and tooling cannot fake one.
Auditable.
Every decision carries calibrated confidence and a human-readable reason. Nothing is accepted or denied in silence.
Consent-led.
Raw signals are not collected by default. Opt-in research data is double-encrypted and revocable on request.
IV. POSTURE
TRANSPORT
- TLS 1.3
- HSTS
- Per-request nonces
STORAGE
- Encryption at rest
- Salted templates
- Helper data only
OPERATIONS
- Rate limits
- Anomaly alerting
- Reason-coded decisions
DATA RIGHTS
- Erase on request
- Per-user salts
- Consent-led research data
The deep walkthrough is a meeting away.
Compliance status, data handling, and disclosure live in the Trust Center. For the threat model and controls, we make time for security teams.