Security posture, consolidated.

Audit Chain Integrity

Append-only, hash-chained, daily-root signed.

• Per-tenant regulatory chain; cross-tenant queries forbidden at the database boundary.
• SHA-256 row-hash chain enforced at insert time.
• Daily-root ECDSA-P256 signing with RFC 6979 deterministic-k in a hardware security module.
• Immutable WORM blob archive with a seven-year retention window.
• Byte-identical Replay API from cold storage.
• Chain-integrity verifier on a scheduled cadence; quarantined events dual-anchored for forensic reconstruction.

Encryption + Key Custody

Azure Key Vault Premium SKU. RBAC-only. HSM-backed keys.

• Encryption-at-rest for every operational data store; encryption-in-transit via TLS for every wire path.
• Per-tenant encryption-key namespace.
• EC-HSM P-256 keys (daily-root signer + forensic signer) with HSM-side key custody — no exportable key material.
• FIPS 140-2 Level 2 on the Premium SKU.
• Soft-delete + purge-protection on the vault. Private-endpoint-only access.

Multi-Tenant Isolation

Database-per-tenant. Not shared-schema-with-tenant-id.

• Each tenant gets a dedicated PostgreSQL database — not a row predicate on a shared table.
• Per-tenant audit chain; per-tenant encryption-key namespace; per-tenant backup posture.
• Tiered model in design: dedicated tier (one database per tenant; reserved compute) and pooled tier (one database per N tenants; shared cluster, shared backup window — but database isolation preserved).
• Cross-tenant data flow is forbidden at the application layer and at the database layer.

Identity + Access

OAuth identity providers. RBAC on every privileged surface.

• User identity via Azure AD or Google OAuth with PKCE.
• HttpOnly session cookies; no auth tokens in JavaScript-accessible storage.
• CSRF synchronizer tokens on every state-changing operator endpoint, with an Origin/Referer backstop.
• Role-based access control on every privileged operation, re-checked server-side regardless of client claims.
• Audit-chain emission on every authentication, RBAC privilege check, and operator action.

IP and Geolocation Logging

Every privileged action, geo-attributable.

• Originating IP and derived geolocation captured on every authentication, trade execution, administrative action, tax-lot disposition, and funds-movement event.
• Anomaly flags at capture time: VPN detection, Tor exit node, datacenter IP, impossible travel, country change since last session.
• Capture is non-optional; events that fail to attach the IP and geo are quarantined, not dropped.

Kill Switch

Global halt in under 100ms. Signed. Audit-trailed.

• Operator-issued global halt reaches every fast-loop component in under 100 milliseconds.
• ECDSA-P256-signed control channel with epoch + scope + heartbeat — spoofed engagement attempts are rejected at the subscriber.
• Staleness watchdog + state-file fallback so a kill-switch engagement survives a process restart.
• Every engagement, disengagement, dropped control message, and stale-control-message detection emits an audit event.

Hot-Path Safety

Risk gateway is the sole order path.

• Every order passes through the per-tenant risk gateway; bypassing it is architecturally impossible.
• No language-model call on the order path.
• No heap allocation in the hot-path inner loop; pre-allocated object pools.
• No exceptions in the hot path; error codes only.
• Chain-of-custody token stamped on every order at intake and verified at every state transition.

Supply Chain

Cosign keyless OIDC. CycloneDX SBOM. Gitleaks gate.

• Container images signed with Cosign keyless OIDC via GitHub Actions federated identity.
• CycloneDX software-bill-of-materials attested on every build; verified pre-deploy.
• Gitleaks full-history scan on every push and pull request; pre-commit hook pairing.
• No long-lived secrets in CI; OIDC-federated identities per environment.

Assurance + Procurement

Evidence mapped now. Third-party attestation on the deploy timeline.