Identity
Role-based access, service identities, least privilege and separation of human from machine authority.
Our security approach treats prompts, retrieval, models, tools and identities as one attack surface. Authority is constrained before intelligence is added.
This page describes Morifar's intended delivery standard. The public Decision Instrument additionally enforces same-origin access, bounded JSON input, rate limits, a safe request timeout, server-side secrets and strict structured-output validation. Specific controls, hosting regions, vendors and contractual commitments are confirmed per engagement. This is not an ISO certification, SOC attestation or independent audit.
Role-based access, service identities, least privilege and separation of human from machine authority.
Purpose limitation, source permissions, minimisation, retention design and controlled retrieval.
Approved providers, use-case constraints, prompt-injection controls and documented fallback behaviour.
Allowlisted actions, typed inputs, scoped credentials, transaction limits and confirmation gates.
Peer review, dependency control, secret handling, environment separation and change traceability.
Logging, alerting, incident classification, containment, recovery and post-incident corrective action.
Identify lawful purpose and minimise inputs.
Enforce identity and source permissions at retrieval time.
Protect data in transit and limit processor exposure.
Apply defined retention and deletion requirements.
Preserve appropriate audit records without replicating sensitive content.
Send a concise description, affected surface and reproduction information. Do not include client data or exploit production systems. We will acknowledge valid reports and coordinate remediation according to severity.
ai@morifar.com