Security

Kevros Security Architecture

Post-Quantum Signatures

NIST-standardized post-quantum cryptographic signatures are designed to provide resistance against quantum computing attacks. Kevros uses ML-DSA-87 (FIPS 204) and SLH-DSA-256f (FIPS 205) for critical signature paths where dual-family posture is required.

Isolated Enforcement

Core enforcement logic runs in isolated containers with strict network policies. Process-level isolation with deterministic execution.

Hash-Chained Evidence

Tamper-evident evidence chains link every decision and enforcement action. Immutable, append-only, and cryptographically verifiable.

Fail-Closed Enforcement

By design, the system denies all access on validation failure. No permissive fallbacks. AI decisions only proceed with full cryptographic evidence.

Tenant Isolation

Cryptographic isolation between tenants. Control planes are separated at the infrastructure level.

Network Isolation

Virtual private networks, private endpoints, and network security controls enforce strict traffic policies. No implicit trust relationships.

Security Pillars

Kevros Security Architecture

• Post-quantum signatures (ML-DSA-87, FIPS 204; SLH-DSA-256f, FIPS 205) for cryptographic enforcement primitives
• Isolated enforcement containers for deterministic, auditable execution
• Hash-chained evidence for tamper-evident decision records
• Fail-closed enforcement gates: no permissive fallbacks on validation failure
• Cryptographic attestation of every state transition and enforcement decision

Infrastructure Security

• Cloud deployment with redundancy and failover capabilities
• AES-256 encryption at rest across all data stores and backups
• TLS 1.3 encryption in transit for all network communication
• Complete tenant isolation with dedicated cryptographic contexts
• Network isolation via Virtual Networks, private endpoints, and NSGs

Evidence Chain Integrity

• Append-only, immutable evidence chains for all enforcement decisions
• Tamper-evident design with cryptographic verification of chain continuity
• Verifiable without source code access: transparency built into cryptographic evidence
• Hash-linked evidence creating a tamper-evident chain of custody
• Compliance-ready audit trails with cryptographic integrity verification

Identity & Access Management

• API key authentication (X-API-Key header) for enforcement API operations
• HMAC-based cryptographic authentication for all enforcement operations
• Operator-scoped API keys with per-key rate limiting and usage tracking
• Admin key separation for configuration operations vs enforcement operations

Engineering Rigor

Formal Verification

Core cryptographic and enforcement logic undergoes rigorous formal verification using TLA+. State space exploration ensures correctness across all possible execution paths. Critical enforcement paths verified.

Third-Party Security Audits

Infrastructure, cryptography, and control plane design are architected to support independent security review. Contact us to discuss security assessment requirements.

Security Vulnerability Reporting

We welcome responsible security disclosures from the security research community. If you discover a potential vulnerability in Kevros or our infrastructure, please report it directly rather than through public channels.

Email: security@taskhawktech.com

Please provide a detailed description of the vulnerability, affected systems, timeline, and proposed remediation. We will acknowledge receipt within 48 hours and work with you on a coordinated disclosure timeline.

Our Commitment

• Acknowledge all reports within 48 hours
• Coordinated disclosure with reasonable timeline for remediation
• No legal action against good-faith security researchers
• Recognition program for responsible disclosures

Security Inquiries

For security-related questions, compliance information, or to discuss our security practices:
TaskHawk Systems, LLC
Security Team, United States
security@taskhawktech.com