Security

Your evidence. Your keys. Your call.

Chronicle is designed so that trust doesn't depend on trusting us. Encryption is client-side, enforcement is on-prem, and every record is independently verifiable.

Raw signals stay inside your boundary. Only sealed decisions cross outward.

Evidence sovereignty

Evidence is encrypted client-side, on your infrastructure, before it reaches our platform. You hold the keys. We can audit structure and integrity — not content.

Zero trust by design

Chronicle authenticates every component via Vault AppRole, validates JWTs on every inbound request, and enforces tenant isolation at the database level via row-level security.

On-premise enforcement

The enforcement runtime is deployed on your infrastructure. Policy decisions never leave your network. The cloud plane handles intelligence, not enforcement.

Tamper-evident records

Every decision record is sealed with a cryptographic chain. Any modification — accidental or intentional — is detectable. Evidence is evidence.

Technical specifications

Evidence encryptionAES-256-GCM, per-call key

Key managementHashiCorp Vault Transit API

AuthJWT + JWKS, multi-tenant AppRole

Tenant isolationPostgres row-level security

TransportTLS 1.3 only

Deployment modelSplit-plane (on-prem + cloud)

Architecture note

Chronicle uses a split-plane architecture. The enforcement runtime is deployed within your infrastructure and makes no external calls during the critical enforcement path. Evidence is encrypted locally before being forwarded to our ingest plane.

The cloud platform handles intelligence aggregation, drift detection, and query — working only with encrypted blobs and metadata it cannot decode without your keys.