Security
Security at DarkMatter
DarkMatter is infrastructure for AI audit trails. Security is not a feature — it is the foundation. This page describes our controls, shared responsibilities, and the documents available for your security review team.
Documents for your team
Legal and Compliance Overview
For Legal, Compliance, and DPO teams. Covers regulatory alignment (EU AI Act, US state laws, financial sector), data handling, retention policies, and the independence guarantee.
Download PDF →
Information Security Overview
For InfoSec and CISO teams. Covers encryption controls, authentication model, rate limiting, SSRF protection, shared responsibility model, and incident response.
Download PDF →
Security controls
Encryption in transit
TLS 1.3 enforced on all API endpoints and dashboard traffic. No unencrypted connections accepted.
Encryption at rest
All data encrypted at rest via Supabase managed AES-256 encryption.
BYOK encryption
Client-provided AES-256-GCM key, available on all plans. DarkMatter stores only ciphertext. Your key is never stored on our systems.
Tamper-evident chain
SHA-256 parent hash chaining. Modifying any commit breaks every downstream hash — detectable without trusting DarkMatter.
Authentication
Supabase JWT for dashboard. Bearer token API keys for agents. Keys hashed at rest, never stored in plaintext.
Rate limiting
Per-endpoint limits: auth 20 req/15min, API 120 req/min, feedback 5 req/hr.
SSRF protection
Webhook URLs validated against blocklist of private IP ranges, loopback, and cloud metadata endpoints.
Security headers
helmet.js: HSTS, X-Frame-Options, X-Content-Type-Options, referrer policy.
Row-level security
Supabase RLS policies enforce tenant isolation at the database layer. Users can only access their own agents and commits.
Input sanitization
All user input sanitized and length-limited before processing or storage. HTML injection prevented.
W3C DID identity
Cryptographically verifiable agent identities. Audit trails independently verifiable without trusting DarkMatter.
SOC 2 Type 2 In progress
Working toward SOC 2 Type 2 certification. Expected completion 2027. Contact us for current security posture documentation.
Shared responsibility model
Security is a shared responsibility between DarkMatter and our customers.
| Responsibility | DarkMatter | Customer |
|---|
| Platform infrastructure and hosting security | Yes | |
| Encryption in transit and at rest | Yes | |
| Database security and backups | Yes | |
| Rate limiting and DDoS mitigation | Yes | |
| API key hashing and secure storage | Yes | |
| Tamper-evident hash chain integrity | Yes | |
| BYOK key custody, storage, and rotation | | Customer |
| Agent API key rotation and revocation | | Customer |
| Secure storage of API keys in customer systems | | Customer |
| Content and classification of committed payloads | | Customer |
| Agent authorization and access control logic | | Customer |
| Network security for self-hosted deployments | | Customer |
Sub-processors
DarkMatter uses the following third-party sub-processors. Enterprise customers with specific data residency requirements should consider the self-hosted deployment option.
| Provider | Purpose | Region |
|---|
| Supabase | PostgreSQL database and authentication | US (AWS us-east-1) |
| Railway | Application hosting and deployment | US |
| Resend | Transactional email (confirmation, notifications) | US |
| Cloudflare | DNS, CDN, and DDoS mitigation | Global edge |
Certifications and compliance
SOC 2 Type 2
In progress
Audit period expected to begin Q1 2027. Contact us for current security documentation.
EU AI Act alignment
Supported
DarkMatter's audit trail architecture is designed to support Art. 12 and 19 logging requirements.
GDPR
Supported
Data export and deletion available at any time.
Vulnerability disclosure and contact
To report a security vulnerability, email [email protected] with a description and reproduction steps.
For security review requests, vendor questionnaires, contact