Security
Built for compliance‑sensitive environments.
Virdant is designed for organizations that need to prove their AI decisions were made fairly, consistently, and in accordance with policy. Every design decision prioritizes auditability, integrity, and control.
Record keeping
Audit records are the foundation of AI governance. Virdant treats them accordingly.
Tamper-evident chains
Every decision record is linked to the previous one through a cryptographic hash chain. Any attempt to modify, delete, or reorder records breaks the chain and is immediately detectable during verification.
Immutable by design
Records are append-only. Once a decision is written, it cannot be altered. Corrections are additive — a new record referencing the original — so the full history is always preserved.
Complete audit trail
Each record captures what the agent decided, the inputs it considered, governance checks it ran, and the outcome. Human review records link back to the decisions they assessed, creating a chain of custody from decision to review.
Integrity verification
Chain integrity can be verified on demand. Verification is non-destructive and can be run by compliance teams independently of the engineering team, without requiring access to application systems.
API security
Two distinct authentication models keep ingestion and administration cleanly separated.
Separated authentication
SDK ingestion uses API keys scoped exclusively to write operations. Dashboard and administrative access uses session-based authentication. A compromised SDK credential cannot access management functions or query historical data.
Encryption in transit
All API traffic is encrypted over TLS. HTTPS is enforced; plaintext connections are rejected. Credentials and record data are never transmitted in the clear.
Rate limiting & abuse protection
Authentication endpoints are protected against brute-force attacks. Repeated failed attempts trigger progressive lockouts with standard Retry-After signaling, without revealing whether a username exists.
Strict input validation
Every API request is validated against a typed schema before processing. Malformed payloads are rejected at the boundary with structured error responses that do not expose internal system details.
SDK security
The SDK is designed to introduce no new risk into your AI stack.
Zero runtime dependencies
The SDK ships with no third-party runtime dependencies. There is no supply-chain attack surface beyond the SDK code itself — no transitive packages to audit, patch, or monitor.
Open source & auditable
Every line of SDK code is publicly available and auditable. Your security team can review exactly what runs inside your AI infrastructure. No obfuscation, no closed binaries, no black boxes.
Data sovereignty
Organizations with strict data residency requirements can self-host the Virdant platform within their own infrastructure. Audit data never leaves a boundary you do not control.
Local-first option
For air-gapped or highly regulated environments, the SDK supports local file output with no network calls. Records accumulate locally and can be ingested on your own schedule or kept entirely on-premises.
Responsible disclosure
If you discover a security vulnerability in Virdant, please report it privately via GitHub's security advisory feature or email security@virdant.ai. We will respond within 48 hours.