Security & Compliance

Trust Center

Security, privacy, and evidence-chain posture for the self-hosted fair-outcomes evidence appliance for regulated credit decisions.

Contact Security Review Review Procurement

Security Posture

We employ a defense-in-depth strategy, securing the software supply chain from commit to container.

Supply Chain

  • Cosign-signed images (keyless OIDC).
  • SBOM + build provenance attestations.
  • Daily CVE scans (fail on critical) + release-time HIGH/CRITICAL gating.

Runtime Protection

  • Non-root runtime (default).
  • No-new-privileges; evidence artifacts written under OUTPUT_DIR (temporary writes may occur depending on deployment configuration).
  • Customer-managed secrets in your deployment platform (KMS/Vault/Secrets Manager); Equilens does not operate those controls.

Data Sovereignty

  • Runs entirely in your VPC/VM.
  • No data egress by default.
  • Customer-controlled retention.

Regulatory Mapping1

  • ECOA / Reg B.
  • EU AI Act.
  • FCA Consumer Duty outcome metrics.

1. Mapping only: references indicate internal checkpoints; they do not constitute certification or legal advice.

Data Protection

FL-BSA is customer-hosted by design. Customer borrower datasets and model details remain inside the customer-controlled environment in normal appliance operation.

Customer-hosted appliance

The configured product posture keeps borrower datasets, model parameters, and protected-attribute data inside the customer environment. Equilens does not receive those materials as part of normal appliance operation.

Equilens business data

Equilens still processes business contact, website, procurement, support, and company-communication data. The privacy notice explains those uses and how to contact us.

Privacy contact

Privacy and data-protection matters route through the role inbox listed in the privacy notice. Additional privacy-governance items are tracked internally until approved for publication.

Evidence Chain

Each run is designed around machine-readable evidence: recorded run context, manifests, certificates, reports, and verification files that can be reviewed outside the user interface.

Step 1: Run Context

  • Task ID, timestamps, and RNG seed identify the exact run.
  • dataset_hash binds the run to its input snapshot.
  • Row and feature counts record scale, with protected-attribute summary where available.

Step 2: Manifest Set

  • metrics.json remains the technical source of truth for the run.
  • Synthetic-data manifests and hashes identify generated outputs.
  • Configuration snapshots, log excerpts, and rendered reports are retained with the run.

Step 3: Certificate Chain

  • Lineage, training, tuning, synthetic-quality, and pipeline certificates cover the workflow.
  • previous_certificate_hash links each certificate to the prior artifact.
  • Regulatory-alignment certificate supports traceability without becoming a legal attestation.

Step 4: Offline Verification

  • Evidence bundle and sidecar manifest are retrievable by Task ID.
  • Certificate hashes can be recomputed using the documented hashing spec shipped with the bundle.
  • Vendor trust root: where signatures are enabled, signed release manifests and vendor-authored evidence attestations can be verified against our published keys at /fl-bsa/trust-root.json (ECDSA-P256). Expected SHA-256: 256280436bd13c079fb04327c11137583c6aa4d8fc106d75654052746e65dee4 — verify out of band. Customer-local evidence with vendor_authorship_claimed=false proves bundle consistency, not vendor authorship. Verification is offline; no Equilens service is required.
  • Encryption, signing, and witnessing remain deployment-specific controls.

Public reports & files

  • FL-BSA public technical-proof reference: v5.0.0-rc9-public-fix-2724455 (non-commercial prerelease).
  • Selected public demo downloads are available from FL-BSA documentation.
  • Public demo artifacts are synthetic/demo-only sample materials, not customer output, legal advice, or proof of a public Marketplace launch. Customer evidence bundles are generated by the customer's deployed FL-BSA appliance and are not published in this repository.
  • Integrity verification: see SHA256SUMS.txt and manifest.json on the public release page, plus PROVENANCE.md for provenance notes.
  • Website deployment evidence bundles are available on request (deploy snapshots, checksums, and site-audit outputs).

Signing/witnessing is optional and depends on deployment configuration.

Evidence is retrievable by Task ID, providing a complete audit trail from data ingestion to final report.

Where a component's licence requires reproduction of NOTICE text, the relevant excerpt is provided alongside the SBOM.

Need the security pack?

We can provide vendor-questionnaire support, deployment notes, and the available evidence bundle for qualified procurement reviews.

Request Security Pack Review Procurement