Security Architecture

Built for Security-First
Enterprise Deployments

StreetMP OS was designed from first principles with enterprise security requirements. Zero retention, cryptographic audit chains, structural tenant isolation.

Core Controls

Security Architecture

Zero Retention Architecture

Raw inputs are never persisted. Only HMAC-signed telemetry metadata is written to the append-only audit ledger. Your data never leaves the processing enclave.

  • RFC 2104 HMAC-SHA256 signing
  • Zero plaintext persistence
  • Enclave-scoped execution
  • Memory-safe processing

Policy-Driven Enforcement

Every enforcement decision is deterministic — governed by your SecurityRule set. No opaque AI overrides. Every BLOCK, ALLOW, and REDACT is traceable to a specific rule.

  • Named SecurityRules with version tracking
  • Kill switch for instant policy suspension
  • Rollback-safe policy activation
  • Per-tenant rule isolation

Immutable Audit Chain

Every event — policy change, analyst override, scan result — is written to an append-only ledger with cryptographic integrity. No record can be modified or deleted.

  • Append-only AuditLog architecture
  • HMAC-chained event integrity
  • Tamper-evident record structure
  • SOC2-ready evidence export

Tenant Isolation

Multi-tenant architecture with structural query isolation. Every database query is orgId-scoped at the Prisma layer. Cross-tenant data access is architecturally eliminated.

  • Prisma-enforced orgId scoping
  • Structural isolation test suite
  • No shared session state
  • Per-tenant encryption keys (BYOK)

Compliance

Regulatory Readiness

SOC2 Type II

Readiness Operations Active

Singapore PDPA

APAC Privacy Controls Enabled

India PDPB

Jurisdiction-Scoped Processing

GDPR

Data Minimization + Zero Retention

Thailand PDPA

APAC Sovereign Deployment

ISO 27001

Control Alignment in Progress

Responsible Disclosure

If you discover a security vulnerability in StreetMP OS, please report it privately to security@streetmp.com. We commit to acknowledgement within 24 hours and resolution timelines based on severity. We do not pursue legal action against good-faith security researchers.

Threat Detection

Attack Taxonomy & Detection Coverage

Every threat category has a corresponding detection method in the NeMo CLAW pipeline. No black-box scoring — each signal is individually logged.

Prompt Injection

CRITICAL
  • Direct instruction override attempts
  • Role-play jailbreaks
  • Delimiter injection
  • Nested prompt escaping
Detection:Neural + regex dual-stage

PII Exposure

HIGH
  • Account numbers
  • National ID patterns
  • Email/phone exfiltration
  • Name + DOB combinations
Detection:Entity recognition + pattern matching

Data Exfiltration

HIGH
  • Base64 encoding attempts
  • URL embedding of sensitive data
  • Encoded payload patterns
Detection:Entropy analysis + semantic scan

Unicode Normalization Attacks

MEDIUM
  • Homoglyph substitutions
  • Zero-width character injection
  • Bidirectional text overrides
  • Unicode escape sequences
Detection:Normalization + character class analysis

Indirect Prompt Injection

HIGH
  • Malicious web content ingestion
  • Poisoned document payloads
  • Hidden instruction embedding
Detection:Context-aware injection scoring

Policy Bypass Attempts

MEDIUM
  • Threshold-probing patterns
  • Confidence manipulation
  • Repetitive boundary testing
Detection:FP War Room pattern correlation

FP Suppression

False Positive Reduction Workflow

High-confidence threat detection creates false positives in edge cases. StreetMP OS has a structured, analyst-driven workflow for identifying, suppressing, and adapting to FP patterns.

01
DETECTFP War Room surfaces repeated overrides by entity type across 14-day window
02
ANALYSEConfidence heatmap shows distribution of FPs across 4 confidence buckets
03
REVIEWAnalyst queue surfaces top 20 recent FPs for manual verdict
04
TUNEAdaptive tuner adjusts SecurityRule confidence threshold by -0.05 per confirmed FP cluster
05
LOGEvery threshold change written to AuditLog with actor, reason, and before/after values
06
VERIFYNext alert sweep confirms FP rate dropped below 15% threshold

War Room Health Scoring

HIGH-severity policy conflict found-20 points each (max -40)
MEDIUM-severity policy conflict found-10 points each (max -30)
Entity with ≥3 repeated overrides-5 points each (max -30)
Starting baseline100 points

War Room Score ≥ 80 = Healthy FP posture

Score exposed at GET /api/v1/intelligence/fp-war-room