Controls, boundaries, and responsible disclosure
Security and trust
CompanyOS security posture, current trust boundaries, human approval model, and responsible disclosure channel.
Last updated: 5 June 2026
Security model
CompanyOS is designed around authenticated access, tenant isolation, role-aware authorization, human approval for reserved actions, audit evidence, and fail-closed behavior for missing identity.
The web monolith is a reference application shell. Production identity, persistence, provider credentials, and mutation authority belong to configured backend services rather than browser-visible code.
What we do not claim
This page is not a third-party attestation, SOC 2 report, ISO statement, penetration-test report, uptime SLA, or statement that every deployment has the same controls.
Customer-specific guarantees must be documented in the relevant contract, data processing agreement, security addendum, or deployment runbook.
Responsible disclosure
If you believe you found a vulnerability, please report the affected URL, reproduction steps, impact, and any safe proof-of-concept through the website contact channel or by writing to the registered office.
Do not access, modify, delete, or exfiltrate data that is not yours. We will review good-faith reports and coordinate remediation where applicable.