Operational Security
Security posture for production policy ops.
This page covers how decide handles transport, runtime controls, logging boundaries, and support incident response so procurement and security reviewers can assess rollout risk.
Current posture snapshot
Transport + edge
All production routes are served over HTTPS with strict response headers from edge config.
Deterministic runtime
Policy decisions are generated from request context + policy pack state, with no hidden model memory.
Evidence by default
request_id, request hash, response hash, and latency fields support replay and dispute review.
Control matrix
| Control area | Current implementation | Operator note |
|---|---|---|
| Identity and access | Account and ops UI access use Clerk auth with role-gated ops checks. | Ops runtime checks can require token-auth for sensitive metrics views. |
| Runtime integrity | Decision endpoints return deterministic outputs for identical inputs under fixed policy state. | Use pilot scorecards to validate consistency under live queue traffic. |
| Audit traceability | request_id linkage with request/response hashes and status metadata. |
Designed for QA replay, dispute packs, and incident review. |
| Rate and abuse control | Baseline public limits and route-level protections configured at edge. | See /docs.json for machine-readable limits where exposed. |
| Compliance claims | No SOC 2 claim is made on this page today. | Share questionnaire scope during pilot intake for a targeted review packet. |
Need a vendor questionnaire response? Include framework (for example SIG Lite or CAIQ) and required turnaround in your request.
Data handling boundaries
Timestamp, route, latency, response status, and request-linked hashes for uptime and audit workflows.
No claim of full enterprise certification is made here unless explicitly published in contract artifacts.
Avoid placing unnecessary personal data in policy prompts; keep context scoped to support decision needs.
Incident and support response
Pilot and production paths include defined owner channels for delivery failures, readiness blockers, and escalation follow-ups. For immediate security issues, contact support@decide.fyi with subject security incident.