Security

Security

Security Overview

This document describes current technical and organisational security controls implemented by Resolution Assurance™. It does not guarantee security outcomes or eliminate all risk of compromise.

Last updated: January 2026

Evidence integrity

All artefacts are cryptographically hashed using SHA-256 at the point of ingestion.

Any hash mismatch constitutes a loss of integrity and invalidates the artefact for verification-reference purposes.

Deterministic rules

All verification rules are uniquely identified, version controlled, and traceable to a documented change log.

Verification outputs are deterministic, reproducible, and auditable.

Sealing (ER021)

ER021 is the authoritative verification record defined by the Evidence Model.

Sealed artefacts include:

  • Manifest-level and bundle-level SHA-256 cryptographic hashes.
  • RFC 3161-compliant timestamping.
  • Transparency log anchoring (Rekor).
  • Storage within an immutable archive.

Sealing establishes cryptographic proof of existence and integrity without interpretation or judgement.

Data residency and cryptography

This document describes current controls and mechanisms. It does not guarantee security outcomes or prevent compromise.

Supported processing regions: Australia, European Union, United Kingdom.

  • Customer-managed, region-pinned encryption keys via AWS KMS.
  • Transport security: TLS 1.2 or higher.
  • Data at rest: AES-256 encryption.
  • Key rotation interval: ≤ 12 months.

Verification process independence

Independent third-party review of verification processes may be conducted by qualified external firms.

Interim independence is supported through external timestamping authorities and transparency log anchoring.

Responsible disclosure

Security research activities must comply with the responsible disclosure policy.

Prohibited activities include denial-of-service attacks, social engineering, credential harvesting, and unauthorised data extraction.

Verification reference validation

Sealed artefacts may be validated by confirming correspondence to published cryptographic references using Verify a Seal.

Validation does not involve interpretation, certification, or judgement.

Procurement note: control descriptions are designed to support assessment; detailed implementation evidence is provided under NDA.

ISO/IEC 27001:2022 Alignment

Resolution Assurance™ has implemented technical and organisational controls that are aligned with the intent of ISO/IEC 27001:2022 (Information Security Management Systems).

This alignment is informative and supports enterprise and regulatory assessment. It does not represent certification, accreditation, or formal compliance determination.

  • Cryptographic integrity controls aligned to Annex A.8 (Technological controls)
  • Deterministic processing and change traceability aligned to A.8.9 and A.8.32
  • Logging, timestamping, and transparency anchoring aligned to A.8.15 and A.8.16
  • Key management and encryption aligned to A.8.24 and A.8.25
  • Governance boundaries and acceptable use aligned to A.5 organisational controls

Detailed control mappings, evidence references, and implementation artefacts are available to enterprise customers and regulators upon request under appropriate confidentiality arrangements.