Verification steps Request walkthrough
Security · Key custody · Disclosure tiers

Your keys remain yours.

CEYO is designed as a non-custodial evidentiary layer. Artifacts are sealed under operator-controlled keys and verified independently under policy scope. CEYO produces records; institutions and operators retain decision authority and compliance determinations.

Key custody model Failure modes
Security summary
  • Private signing keys remain within operator HSM/KMS/TEE environments (non-custodial model).
  • Artifacts are sealed with hash + signature to support tamper detection and provenance checks.
  • Disclosure tiers enable verification without default exposure of proprietary internals.

Key custody model

CEYO does not require possession, transmission, or storage of operator private keys.

Non-custodial posture
  • Signing keys are generated and stored in operator infrastructure.
  • Signing operations occur in HSM/KMS/TEE environments, per deployment choice.
  • Artifacts embed a public key reference / key ID for later verification.
Compatible environments
  • Cloud KMS (provider-managed or customer-managed keys).
  • Dedicated HSM (on-prem or cloud HSM appliances).
  • TEE-backed signing (where supported) for attested environments.
Verification procedure Control alignment

Disclosure tiers

Artifacts can be disclosed under explicit tiers so reviewers can verify integrity without default exposure of model IP.

Public / redacted
  • High-level metadata + integrity fields.
  • Redacted or masked sensitive fields.
  • Suitable for showing “a sealed record exists” without exposing internals.
Controlled review
  • Expanded fields for authorized verification.
  • Bounded by agreement and institutional authorization.
  • Designed for audits, oversight boards, and formal review workflows.

Failure modes

CEYO is designed to avoid becoming a default operational dependency. Failures are reportable and reviewable.

Sealing failure Artifact sealing does not complete (e.g., KMS unavailable).
Fail-open
Policy mismatch Verification indicates the artifact references a different policy version than expected.
Reportable
Verification failure Hash/signature checks fail; integrity posture is compromised.
FAIL
Key compromise Key custody incident in operator environment (rotation/revocation required).
Operator
Boundary declaration
  • CEYO does not certify compliance, legality, or decision correctness.
  • Verification confirms integrity and provenance under policy scope, not correctness of model output.
  • Key custody integrity depends on operator governance controls.
Request walkthrough Vulnerability disclosure