SECURITY ARCHITECTURE
Architectural Security Model
The ENVELO Interlock is designed so Sentinel Authority has no access to operator systems, data, or network infrastructure. Security properties are structural, not contractual.
THREAT MODEL AND ASSUMPTIONS
The following trust boundaries and assumptions govern the security model of the ENVELO Interlock.
Trust Boundary: The interlock operates within the operator's infrastructure. Sentinel Authority has no access to that environment.
Assumptions: Operator infrastructure is assumed to be independently secured. The interlock does not compensate for host environment vulnerabilities.
Threat Exclusions: Physical access attacks, operator-side credential compromise, and supply chain attacks on operator infrastructure are outside the scope of this model.
Operator Responsibility: Operators are solely responsible for securing the environment in which the interlock is deployed.
CORE GUARANTEE
What the ENVELO Interlock cannot do — by architecture, not policy
NO INBOUND PORTS
NO REMOTE ACCESS
NO SYSTEM DATA ACCESS
NO CLOUD COMMANDS
The interlock opens no inbound network interfaces. Sentinel Authority has no mechanism to connect to, access, or control your infrastructure. Communication is strictly one-way: telemetry out, nothing in.
ATTACK SURFACE
Can Sentinel Authority access our systems remotely?
No. The ENVELO Interlock opens zero inbound ports and accepts zero inbound connections. There is no SSH, no API endpoint, no reverse tunnel. The architecture contains no inbound communication interfaces and no code path enabling remote execution.
What happens if the connection to Sentinel drops?
The interlock continues enforcing boundaries locally — connectivity to Sentinel is not required for enforcement. Telemetry is queued locally with cryptographic ordering and transmitted when the connection resumes. If connectivity is not restored within the configured threshold, conformance status transitions to PAUSED pending reconnection.
External Command Injection Risk
No. The interlock does not accept commands from any external source. It only transmits telemetry outbound. Even if Sentinel's servers were fully compromised, there is no code path to send instructions to the interlock.
DATA PRIVACY
What data does the ENVELO Interlock transmit?
Only boundary conformance data — whether the system is operating within its discovered operational envelope. The Interlock transmits enforcement actions, boundary check results, and violation events. No PHI, no PII, no model weights, no decision logic, no business data, no logs, no screenshots, no video.
Is the ENVELO Interlock compatible with HIPAA / SOC 2 / ISO 27001?
Yes. Because the ENVELO Interlock transmits no PHI or PII, it operates outside the scope of HIPAA covered data. For SOC 2 and ISO 27001 environments, the interlock's outbound-only architecture, certificate pinning, and cryptographic audit trail support environments subject to SOC 2 and ISO 27001 controls. Business Associate Agreement available where applicable.
NETWORK
What network access does the ENVELO Interlock require?
Outbound HTTPS only (port 443) to api.sentinelauthority.org. No inbound ports, no UDP, no custom protocols. Compatible with corporate proxies and firewalls — allowlist a single domain.
How is the connection secured?
TLS 1.3 with certificate pinning. The interlock pins Sentinel Authority's certificate fingerprint at install time, preventing MITM interception even if a CA is compromised. All telemetry is additionally signed with the interlock's private key.
AUDITABILITY
How can we verify what the interlock is sending?
Operators can export telemetry data, violation records, and full CAT-72 enforcement reports directly from the applicant dashboard. Every session includes downloadable CSVs and PDF reports — giving auditors complete visibility into what the Interlock monitors, enforces, and transmits.
Is the telemetry tamper-proof?
Yes. Every telemetry packet is cryptographically signed and hash-chain linked to the previous packet. Any gap, reorder, or modification breaks the chain and is flagged automatically. This provides non-repudiable evidence for certification and audit.
VULNERABILITY REPORTING AND SECURITY INQUIRIES
For security reviews, penetration test coordination, or compliance documentation requests.
conformance@sentinelauthority.org