Our principled approach to data protection, access control, and operational security.
Majormatic is a Digital Vault architecture designed for professional work in regulated industries. Security is a structural property of the platform, not a layer added on top.
We operate on a principle of least privilege: every component, user, and integration receives only the access it requires. Access is never assumed and always verified. The Kernel is the sole execution authority — no developer, app, or user can bypass its rules.
Data is separated into three governed layers: raw evidence (temporary), processed results (linked to execution), and supervision patterns (governed by policy). Each layer has its own retention rules. The default active workspace window is 30 days. Vault extension is available for monetised continuity.
We do not make absolute security guarantees — no platform can. What we commit to is a phased, documented, and continuously improving security posture designed to meet regulated industry requirements at each phase.
Our security capabilities are phased by data sensitivity. Each phase unlocks the platform for a broader class of regulated data.
Public data. Full governance, audit trails, lifecycle management, and AI+Gov API hybrid. Designed for law firms, accountants, and consultants handling publicly available data and client-facing professional outputs.
Private matter data, internal documents, firm-confidential workflows. Enhanced data separation, restricted supervision pattern tiers, and role-based access controls for multi-seat firm accounts.
Banking and healthcare data. ISO 27001 certification, full jurisdictional compliance enforcement, multi-expert approval for CRITICAL risk executions, advanced audit and data residency controls.
Every execution carries a jurisdiction context that controls which regulatory sources and enforcement rules apply. This is not advisory — it is structural.
UK, EU, or other defined regions. Governs which government API sources are authoritative for this execution.
Linked to the applicable government API (UK Gov legislation, HMRC, Companies House, EUR-Lex). AI output is grounded against the authoritative source.
STRICT (execution blocked on conflict) or ADVISORY (conflict flagged, execution proceeds). Enterprise accounts can configure jurisdiction enforcement per workspace.
Majormatic defines explicit failure states. The platform does not assume success. When execution encounters uncertainty, conflict, or missing data, the platform follows defined escalation rules — not defaults.
External authority API unavailable. Retry once; if unresolved, block execution and notify user.
AI confidence below threshold. Execution is flagged and escalated for human review before proceeding.
Conflicting regulatory sources identified. User must explicitly override with a recorded DECISION supervision pattern.
Required data absent from pipeline truth or inputs. Execution halts. User must resolve before proceeding.
We take security vulnerabilities seriously. If you discover a potential security issue, we ask that you report it to us privately before any public disclosure.
Email [email protected] with details of the issue.
We will confirm receipt within 24 hours for critical issues and 5 business days for others.
We will investigate, develop a fix, and keep you informed of progress.
We will work with you on appropriate public disclosure timing once the issue is resolved.
Every system component, user, app, and integration receives the minimum access needed to function. Permissions are explicit, not assumed.
Security controls are layered. No single layer is treated as sufficient. Failures in one layer are mitigated by others.
We do not rely on secrecy as a security mechanism. Our security posture is documented and available for review by customers.
Security is never complete. We regularly review, test, and improve our controls as threats and our platform evolve.
Our team is available for enterprise security reviews and compliance enquiries.