MARSOVIVS

The trust posture

Security is a posture, not a feature.

A platform that governs decisions inside a ministry, a hospital, or a defense organisation cannot ask its customer to take its word. The trust posture is published, audited, and reviewable in code.

Six commitments. Each one provable by reading the source.

  1. I

    Open by inspection

    Every algorithm that governs a decision is published. A security team may verify the absence of telemetry. A research office may verify the absence of hidden third-party dependencies. There is no closed binary the house ships to the customer that the customer cannot read.

  2. II

    Identity & access

    OIDC, SPIFFE, WebAuthn, mTLS — open standards throughout. Capability-scoped credentials. Row-, column-, and action-level policy enforced in the kernel. No platform-wide super-user.

  3. III

    Signed actions

    Every state transition in a workflow is signed. Every agent action is typed and traced. Every decision rendered by the platform carries a per-row attribution that survives the platform itself.

  4. IV

    Supply chain

    Reproducible builds. SBOMs published with every release. Dependencies vendored from EU-hosted mirrors where the customer requires it. The release pipeline is itself open source.

  5. V

    Cryptography

    Customer-managed keys in customer-owned HSMs. The house never holds keys to customer data. Encryption at rest, in transit, and in lineage. Post-quantum suites available for sovereign deployments.

  6. VI

    Air-gap capable

    Marsovius can run fully disconnected. Releases are delivered as signed bundles. No outbound network is required for operation. Cleared legates may be dispatched on premises for the duration of the engagement.

Coordinated disclosure

Vulnerabilities reported in good faith are acknowledged within seventy-two hours, triaged within seven working days, and patched on a timeline proportional to severity. Embargo periods are honoured. Credit is given by name unless the reporter prefers otherwise.

Contactsecurity@marsovius.com
PGP7B1E 1E5C 1616 0A0A · MMXXVI
Ack.≤ 72 hours
Triage≤ 7 working days
Patchproportional to severity

Standards we hold ourselves to

  • ·ISO 27001 — security management
  • ·ISO 27017 — cloud security
  • ·ISO 27018 — PII in the cloud
  • ·SOC 2 type II — for hosted clouds
  • ·NIS2 — European critical infrastructure
  • ·GDPR — Article 25, by design
  • ·eIDAS 2 — trust services
  • ·C5 / BSI — German federal baseline
  • ·EU Cyber Resilience Act — alignment
  • ·DORA — for financial institutions

Specific certifications are pursued per customer engagement, on a timeline agreed in the protocol of work.

VII

The keys are yours. The source is yours. The audit is yours. The house is bound, in writing, to keep them so.

Read the PactReport a vulnerability