07
Security & Privacy

An AI system inherits every permission it can reach.

Our security approach treats prompts, retrieval, models, tools and identities as one attack surface. Authority is constrained before intelligence is added.

PUBLIC DISCLOSURE / v1.1

Secure-by-architecture baseline

This page describes Morifar's intended delivery standard. The public Decision Instrument additionally enforces same-origin access, bounded JSON input, rate limits, a safe request timeout, server-side secrets and strict structured-output validation. Specific controls, hosting regions, vendors and contractual commitments are confirmed per engagement. This is not an ISO certification, SOC attestation or independent audit.

SEC-01

Identity

Role-based access, service identities, least privilege and separation of human from machine authority.

SEC-02

Data

Purpose limitation, source permissions, minimisation, retention design and controlled retrieval.

SEC-03

Models

Approved providers, use-case constraints, prompt-injection controls and documented fallback behaviour.

SEC-04

Tools

Allowlisted actions, typed inputs, scoped credentials, transaction limits and confirmation gates.

SEC-05

Software

Peer review, dependency control, secret handling, environment separation and change traceability.

SEC-06

Operations

Logging, alerting, incident classification, containment, recovery and post-incident corrective action.

DATA LIFECYCLE

Every data flow needs a purpose, owner and exit.

1Collect

Identify lawful purpose and minimise inputs.

2Use

Enforce identity and source permissions at retrieval time.

3Transmit

Protect data in transit and limit processor exposure.

4Retain

Apply defined retention and deletion requirements.

5Evidence

Preserve appropriate audit records without replicating sensitive content.

SECURITY CONTACT

Report a suspected vulnerability responsibly.

Send a concise description, affected surface and reproduction information. Do not include client data or exploit production systems. We will acknowledge valid reports and coordinate remediation according to severity.

ai@morifar.com
START A PRIVATE CONVERSATION

Design the permission model before the agent.

Discuss your opportunity