This page describes the security architecture ChainVision is being built around, and the roadmap for the certifications and audits that mining IT teams will ask for. ChainVision is pre-pilot. Specific certifications and audits are part of our funded commercialisation plan and are not currently in place. Please read this page as design principles and forward roadmap, not current state.
Tenant isolation is designed to be enforced at the database engine, not just in application code. The intent is that a query for one organisation cannot return another organisation's rows even if an application endpoint is misconfigured.
Designed to support enterprise SSO (SAML 2.0 / OIDC) for integration with Microsoft Entra ID, Okta, or PingFederate, alongside named-user licensing, corporate email domain enforcement, and MFA mandatory for admin accounts. Roadmap item.
Two deployment modes are planned: cloud SaaS in Australian region, and private cloud inside the customer's own AWS or Azure tenant. In private cloud mode, the design intent is that operational data stays inside customer infrastructure.
Designed for TLS 1.3 in transit with no plaintext fallback, AES-256 at rest, and managed secret storage with no credentials committed to source control.
Designed so that every data access event (read, write, delete) is logged with user, source IP, timestamp, and resource accessed, with database-level rules preventing modification of audit rows. Roadmap item for first-pilot deployment.
The deployment design protects the underlying methodology against extraction from on-premise containers, with revocable distribution credentials and a source-code-escrow option for enterprise customers as a roadmap item.
In the planned private cloud deployment, operational data stays inside customer infrastructure. The simulation engine, where the proprietary methodology lives, remains on Copula Labs servers and is accessed via encrypted API. Diagram below reflects design intent, not a deployed system.
The design intent for tenant isolation is to enforce it at four independent layers simultaneously, so that the failure of any single layer does not expose another tenant's data. Each layer below is a design principle, intended for first-pilot deployment.
The list below is the security control set ChainVision is being designed to support for first-pilot deployment. None of the controls below are currently in production. Each is a roadmap commitment, not a current capability.
@yourcompany.com) so that only users with approved domains can join the organisation. Roadmap.This is the list we expect from an enterprise IT security review. The status column reflects honest current state. ChainVision is pre-pilot; certifications and audits are part of our funded commercialisation plan and have not yet commenced.
| Question | Status | Notes |
|---|---|---|
| SOC 2 Type II | Planned post-pilot funding | Independent audit yet to commence. Engagement is part of the post-pilot commercialisation plan. |
| ISO 27001 | Planned subsequent to SOC 2 | Formal certification programme planned after SOC 2 readiness is established. |
| Penetration test | Planned pre-first-pilot | External penetration test planned prior to first paid pilot deployment. Has not yet been performed. |
| SAML SSO (Entra ID, Okta) | Designed for · roadmap | Architecture supports SAML 2.0 / OIDC integration. Available at Enterprise tier from first pilot. |
| Cross-tenant isolation | Design principle | Database-engine row-level isolation is a design requirement. CI verification of the property is on the roadmap. |
| Service key rotation runbook | Roadmap | Zero-downtime rotation procedure to be documented and rehearsed before first pilot. |
| Data residency in Australia | Designed for | Cloud SaaS planned for Australian region. Private cloud deployment in customer-chosen region is part of the deployment design. |
| Private cloud deployment | Designed for · roadmap | Containerised deployment in customer's own AWS or Azure tenant is a planned deployment mode at Enterprise tier. |
| Source code escrow | Planned for Enterprise tier | Source code escrow with a neutral third party is a roadmap item for Enterprise customers. |
| No vendor lock-in on data | Design principle | Standard-format export of simulation inputs, results, and configurations is a design requirement. |
| GDPR / Australian Privacy Act | Design principle | Data Processing Addendum to be made available. Personal data is intended to be limited to user account information. |
| Incident response SLA | Designed for Enterprise tier | Documented incident response procedure with response and resolution targets is a roadmap item. |
| Backup and recovery | Roadmap | Automated backups, retention, and tested restore procedures are part of the pre-pilot operational checklist. |
The detailed security and architecture roadmap, including the pre-pilot operational checklist and the certifications timeline, is available to qualified prospects under NDA.