Majormatic is built as professional infrastructure. Security is not an add-on — it is a structural property of every layer of the platform.
The platform enforces strict authority boundaries. User interfaces render information — they never enforce rules. Governance, billing, and execution are enforced at the platform level on every request.
Every API request is validated against the user's identity, role, and organisation membership. Permissions are not cached or inherited from session state — they are verified on every request.
User data is isolated by organisation. Your data is never shared with or accessible to other organisations. Access to sensitive data requires explicit authorisation.
Uploaded inputs and generated outputs are stored in separate vault namespaces. Output Vault outputs are sealed after finalisation and cannot be modified. No direct storage access — file reads are mediated by the platform under authentication, and storage keys are never exposed to the UI.
Every execution creates an append-only audit record. Records cannot be modified or deleted. The integrity of audit trails supports legal defensibility and regulatory compliance.
Majormatic runs on Cloudflare's global edge infrastructure. All communication is encrypted in transit. Secrets are managed securely and never stored in application code or logs.
User data is stored in three separate layers, each with different retention and access rules.
Uploaded input files and raw execution evidence. Active for 30 days by default. No direct access — files are read through the platform under authentication, and storage keys are never exposed to the browser. Shown in the current interface as Primary Vault.
Finalised execution outputs. Sealed and immutable after finalisation. Linked to the execution's audit record. Accessed through authenticated, platform-mediated reads — not public or direct storage links. Shown in the current interface as Generated Vault.
Execution events, supervision records, and acknowledgement history. Append-only and tamper-evident. Retained in accordance with applicable compliance policy.
If you discover a security vulnerability, please contact our security team directly. Do not disclose security issues publicly before we have had the opportunity to investigate and address them.