Provable, Not Promised

Every interaction generates cryptographic proof. Auditors verify compliance without accessing your data.

Core Innovation

Evidence Packs

An Evidence Pack is a cryptographically signed artifact generated for every interaction with a PRYZM agent. It contains everything an auditor needs to verify compliance—without exposing the underlying data.

session_id

Unique identifier for the interaction, enabling audit trail reconstruction

input_hash / policy_hash

SHA-256 hashes proving what was processed and which policies applied, without revealing content

enclave_measurement

Hardware attestation from AWS Nitro proving where computation occurred

signature

RSA-OAEP cryptographic signature preventing tampering or forgery

evidence_pack_schema.json
{
  "session_id": "uuid-v4",
  "timestamp": "ISO-8601",
  "input_hash": "sha256:...",
  "output_hash": "sha256:...",
  "policy_hash": "sha256:...",
  "policy_version": "v2.1.0",
  "enclave_measurement": {
    "pcr0": "...",
    "pcr1": "...",
    "pcr2": "..."
  },
  "agent": {
    "id": "kyc_compliance_v2",
    "version": "2.1.0",
    "model": "pryzm-regulated-7b"
  },
  "attestation": {
    "provider": "AWS_NITRO",
    "document": "base64...",
    "timestamp": "ISO-8601",
    "verified": true
  },
  "signature": {
    "algorithm": "RSA-OAEP-SHA256",
    "value": "base64..."
  }
}

Hardware Security

AWS Nitro Enclaves

Isolated Execution

Agents run in hardware-isolated enclaves. No network access, no persistent storage, no admin access—even from AWS.

Cryptographic Attestation

Every enclave produces signed attestation documents proving the exact code running. Tamper-evident by design.

Independent Verification

Auditors can verify attestation documents without accessing your data or infrastructure.

17/17 hostile security tests passed • Panic mode data destruction verified • Session key zeroing verified

Cryptographic Layer

Airlock SDK

RSA-OAEP-SHA256

Asymmetric encryption for session establishment. Your public key encrypts, only your private key decrypts.

OAEP padding with SHA-256 hash

Hybrid AES-GCM

For large payloads, RSA encrypts a symmetric key, then AES-GCM encrypts the data. Best of both worlds.

256-bit AES with authenticated encryption

Session Key Management

Ephemeral keys generated per session. Automatic zeroing on completion. No key material persists.

Forward secrecy by default

Policy Enforcement

Cryptographic binding between agent execution and policy version. Policies are immutable once deployed.

Policy hash in every Evidence Pack

Regulatory Architecture

Built for Audit

EU

EU AI Act

  • Article 13: Transparency requirements satisfied via Evidence Packs
  • Article 14: Human oversight logging
  • Article 17: Quality management documentation
NIST

NIST AI RMF

  • GOVERN: Policy versioning and cryptographic binding
  • MAP: Agent-to-use-case documentation
  • MEASURE: Output hash verification
SR

SR 11-7

  • Model validation artifacts
  • Ongoing monitoring documentation
  • Change management audit trail

17/17

Security Tests

0

Data Egress Points

256

Bit Encryption

100%

Audit Coverage

See It In Action

Schedule a technical deep-dive with our architecture team.

Request Technical DemoBack to Overview