Security

Security at Postrule

We treat security as a continuous engineering practice, not a checkbox. This page is the short version; the documents below carry the detail procurement readers and security researchers need.

We see your decisions, never your data

When verdict telemetry is on, Postrule's hosted pipe ships only the shape of a decision — the switch name, which tier decided (rule → model → ML), whether each layer was right, and a project slug. It never transmits your inputs, the classified content, the labels themselves, or your ground truth — those stay in your process. A credential leak cannot expose your data, which is what makes Postrule safe to adopt on regulated and sensitive workloads. The exact wire shape is documented in the telemetry wire specification, and postrule verify prints precisely what leaves your machine. Telemetry is opt-out at any time.

How we operate

Postrule runs on hardened cloud infrastructure with TLS in transit and managed encryption at rest. Build and publish pipelines use modern OIDC-based trusted-publishing with provenance attestations rather than long-lived tokens. Dependency alerts are monitored continuously and high-severity findings are patched same-week. We adhere to GDPR-aligned commitments for breach notification (within 72 hours of discovery) and compelled-disclosure notification (within 24 hours of receipt, where legally permitted).

Where we don't yet hold a third-party attestation (SOC 2, ISO 27001, HIPAA), we say so plainly. Roadmap targets and the current status of any specific compliance question are available on request to licensing@b-treeventures.com.

Documents

For customers whose procurement process needs more than this one-pager:

Reporting a vulnerability

Email security@postrule.ai. Please do not file a public GitHub issue. You can expect acknowledgement within 72 hours and a triage decision within five business days. Severity-driven patch timelines and scope details live in SECURITY.md. Anonymous reports are welcome.

← Back to Postrule