Every compliance receipt is independently verifiable by any third party — without platform access, without authentication, and without trusting Solymus.
Solymus does not ask you to trust us. The platform is designed so that every compliance receipt can be independently verified by any third party — without platform access, without authentication, and without trusting ProlixoTech.
Our security posture is built around one principle: if the mathematics check out, the receipt is valid. If they don't, no marketing claim, certification logo, or contractual promise can make it valid.
Every evidence payload is serialized under RFC 8785 JSON Canonicalization Scheme. Keys are sorted lexicographically, whitespace is stripped, numeric values follow IEEE 754 shortest-round-trip form, and Unicode is normalized. The Python backend and the in-browser JavaScript demo produce byte-identical canonical bytes.
SHA-256 is computed locally on the canonicalized bytes. Only the 32-byte digest is transmitted to AWS KMS for ECDSA_SHA_256 signing, bypassing KMS's 4 KB message limit. The signing key is FIPS 140-3 hardware-rooted and exclusively scoped to SIGN_VERIFY — Solymus cannot decrypt with it, only sign.
Signed events are written to a 20-shard DynamoDB consensus chain with the formula current_hash = SHA-256(event_data + prev_hash). Optimistic locking via ConditionExpression prevents chain forking. Daily Merkle-root attestations are sealed by KMS and written to prolixo_global_roots_v1. Chain continuity makes tampering mathematically detectable.
All evidence stored in S3 with SSE-KMS. DynamoDB tables use AWS-managed encryption. Cold archive in Parquet format, partitioned by year/month/day.
TLS 1.3 enforced on api.prolixotech.com via CloudFront. HSTS headers, CSP without unsafe-eval, no inline eval anywhere in the frontend.
Clerk JWT for user-scoped operations. Scoped API keys for tenant-scoped evidence ingestion. RBAC via single-table ORG/MEMBER records. SSO/SAML on Level 3.
Per-tenant DynamoDB atomic counters with 5-minute TTL windows. Level 1 = 10 req/s, Level 2 = 50 req/s, Level 3 = 200 req/s. In-memory fallback on DynamoDB unavailability.
All evidence hosted in AWS us-east-1. Canadian data sovereignty region (ca-central-1) on the roadmap. Never shared with third parties, never used to train models.
CloudWatch alarms on canonicalization failures, KMS throttling, and webhook DLQ depth. SQS DLQ with 14-day retention for every async pipeline.
Solymus deliberately uses the phrase tamper-evident, not tamper-proof. No system that runs on general-purpose hardware is tamper-proof. What Solymus guarantees is that any modification to an evidence payload — even a single byte — will produce a SHA-256 digest that does not match the KMS signature. The tampering becomes mathematically detectable; whether it gets detected depends on someone actually running the verification.
Solymus's signing keys live in AWS KMS, which uses FIPS 140-3 Level 3 validated HSMs. Solymus itself is not FIPS 140-3 certified — certification is an organizational audit, not a library property. We make the precise claim: the cryptographic primitive is hardware-rooted. Nothing more.
CPCSC Level 1 is free for a limited time. Credit card required to activate. Early bird pricing through December 31, 2026.
Get Started