We take security seriously. If you discover a security vulnerability in our platform, please report it to us responsibly.
Security Controls in the 3.5 Confidence Track
PolicyWatcher documents security and confidence work as operational evidence within a defined certification boundary. The current release includes:
Session and API BoundariesHMAC-signed admin sessions, rate-limited login, bearer-protected internal routes and production seed endpoint lockout.
Renderer IsolationOptional VPS renderer for script-rendered pages, protected by shared secret and SSRF validation for URLs, redirects and subresources.