Security & trust
Cryptographic where it counts. Auditable everywhere.
Indentia is built for environments where "we trust the network" is not an acceptable answer. Every request is evaluated at runtime; every artefact carries a cryptographically-bound label; every key lives in hardware. Defence-grade controls, available to anyone who needs them — not just to ministries.
Capabilities
Six controls, designed as one system.
Zero Trust by default
Every request is evaluated at runtime — identity, intent, context and resource — before it touches anything. No implicit trust based on network position, VPN, namespace or service-account. A request from inside the cluster gets the same scrutiny as one from outside.
Semantic ABAC + RBAC
Attribute-Based Access Control over the ontology, layered on classical role-based access. Permissions are evaluated against entity attributes (clearance, releasability, domain, sensitivity) and dynamic context — not just on group membership. Automated, expressed in policy-as-code.
Cryptographic classification labels
STANAG 4774 confidentiality labels and STANAG 4778 metadata bindings: every artefact carries a label, cryptographically bound to its content via XMLDSIG. Downgrade-attacks are detectable; releasability checks happen on the label, not on a separate database lookup.
Provenance & chain-of-custody
Every fact in the knowledge graph carries its source, ingestion time, transformations and the responsible identity. Tampering is detectable; "who told us, when, and how was it transformed" is a SPARQL query, not a forensic project.
PKI + mTLS everywhere
Mutual TLS between every internal service, with certificates issued from an internal PKI you control. Service-to-service trust is cryptographic, not network-topological. Rotation is automated; revocation is observable.
HSM-backed keys (EAL4+ / FIPS 140-3 L3)
Signing keys, sealing keys and at-rest encryption keys live in a hardware security module that meets EAL4+ Common Criteria or FIPS 140-3 Level 3, depending on your environment. The platform never sees raw key material — operations happen inside the HSM.
Where it fits
Built for the toughest environments. Useful everywhere else.
Defence & government
Compartmented data with STANAG labels, releasability enforced at the platform layer, HSM-protected signing for orders and intelligence products.
Banking & insurance
Customer-data segmentation per business unit and jurisdiction, audit-grade chain-of-custody for every model decision, regulator-ready evidence on demand.
Critical infrastructure
NIS2-compliant zero-trust between IT and OT, signed firmware and configuration for field devices, immutable telemetry chain.
Sovereign by construction
Your keys. Your code. Your hardware.
PKI, HSM, signing keys, sealing keys — all under your control, inside your perimeter. Indentia can run with zero outbound connectivity. No SaaS dependency in the trust chain; no foreign jurisdiction in the audit trail.