SECURITY

Security

ProofTether Control separates hosted metadata from customer-controlled source, secrets, and model runtimes.

Responsible disclosure

Report security concerns through the ProofTether Support Desk form on /contact or the anti-spam security alias in Legal Notice. Do not send secrets, source code, provider keys, or private datasets.

Do not send secrets

Support and public forms must not receive API keys, credentials, raw repositories, local model weights, or customer datasets.

Security headers

Production deployments should run behind HTTPS with strict transport, frame, content-type, referrer, and permission boundaries.

Access boundary

Customer sessions resolve organization and project scope before mutating endpoints are allowed.

Effective date: 2026-07-01. Public contact uses the ProofTether Support Desk form plus anti-spam electronic aliases to reduce mailbox scraping. Paddle live checkout is pending verification; do not submit unavailable checkout routes as active.