Trust Center · live

Every claim — pointable to a live artefact.

KYE Protocol publishes its own evidence under the same discipline it asks of every adopter: signed, replayable, machine-verifiable from public keys alone. This page is the index. Every claim below links to a live receipt, a per-framework attestation, an open verifier, or a constitution lock.

Self-governance receipts

The protocol governs itself.

Every privileged operation against this codebase (CI runs, deploys, schema migrations, secret rotations) emits the evidence-event family. The receipts are public, signed, and pointable.

verifiedSelf-governance ledger

Three signed JSON artefacts — self-audit run, engine-health snapshot, audit-chain integrity check — signed under EdDSA with a published JWKS.

fact_checkTrust · self-audit

How to verify the self-audit artefacts. JWKS path + parse / canonicalise / verify recipe.

keyPublic JWKS

EdDSA verification keys for every receipt + attestation KYE emits. Drop into any standard verifier; no vendor lib required.
Framework coverage · live

170 frameworks, 326 requirements, bijection-checked.

For every regulatory framework KYE declares mapping to, every substantive requirement is bijection-mapped to the actual KYE artefact that enforces it. The bijection gate fails the build on drift.

fact_checkLive coverage dashboard

Machine-readable JSON + human-readable dashboard. Per-framework + per-category coverage, weighted by enforcement status.

workspace_premiumPer-framework attestations

One kye.compliance.attestation.v1 event per framework. 90-day expiry, deterministic rebuild from canonical source.

layersRegulatory coverage

Per-framework cards across security, financial services, AI governance, data protection, sectoral and healthcare categories.
Security posture

Every security claim → an implementation artefact.

  • Tenant isolation — D1 per-tenant database + R2 per-tenant bucket + KV per-tenant namespace. Cross-tenant traversal is structurally impossible at the binding layer.
  • Authentication — OIDC (Clerk by default; any standard provider supported). Per-request authorisation via Purpose Permission; no ambient runtime.
  • Evidence signing — EdDSA over canonical JSON (RFC 8785 / JCS). Customer-held private keys; KYE sees only the published JWKS.
  • Key rotation — 90-day default; KID-rotatable without breaking in-flight verification (previous-key window).
  • Audit logging — WORM-enforced at the D1 layer + Object-Lock-enforced at the R2 layer. Append-only by structure, not by policy.
  • Rate limiting — per-tenant + per-IP + per-action-class. Rate-cap exceeded emits a typed event into the audit chain.
  • Security headers — HSTS, CSP, X-Content-Type-Options, Referrer-Policy, Permissions-Policy. Verified on every deploy.
  • Data residency — deploy to the customer's region; sovereign-cloud + BYOC supported. See sovereign-AI pages →
Responsible disclosure

How to report a vulnerability.

If you've found a vulnerability in KYE Protocol — in the protocol contracts, the public Pages Functions, the published SDKs, the conformance pack, or any KYE-deployed surface — please disclose responsibly.

  • Contact: security@kyeprotocol.com (encrypt with the published PGP key — see /.well-known/security.txt).
  • Acknowledgement: within 2 business days.
  • Triage + initial advisory: within 14 days.
  • Coordinated-disclosure window: 90 days from triage, extendable by mutual agreement.
  • No legal action will be taken against good-faith research that follows the disclosure protocol. Researcher credit on the advisory if desired.

/.well-known/security.txt →