Security & Trust Center

Security by architecture, not by promise.

GraQle is built with security at the infrastructure level. Your code never leaves your machine. Every reasoning decision is cryptographically verified. Every design choice prioritizes your data sovereignty.

Patent Protected — EP26167849.4Zero TelemetryEU Infrastructure (eu-central-1)

Data Flow

How your data flows

Every component runs locally by default. Cloud features are opt-in only.

LOCAL MODE (default — zero cloud)

Your Code → graq scan → Local JSON Graph → graq reason → Your LLM (Ollama/API key)

No data leaves your machine. No GraQle servers involved.

CLOUD MODE (opt-in — eu-central-1 only)

Browser → TLS 1.3 → CloudFront (Frankfurt) → Amplify + Lambda → Bedrock (EU) → S3 + Cognito

All EU. AES-256 at rest. No model training on your data. No US transfer.

Six Security Pillars

Security by architecture, not by policy

Every layer is designed so sensitive data never has to leave your environment.

Local-First Architecture

Your knowledge graph is a JSON file on your machine. Code analysis happens locally — nothing is uploaded, stored, or proxied through our servers. No cloud account required.

Zero network calls during graph compilation

DRACE Governance Scoring

Every reasoning response is scored across 5 governance axes: Dependency, Reasoning, Auditability, Constraint adherence, and Explainability. Scores are auditable and reproducible.

5-axis governance on every query

Hash-Chained Audit Trails

Every reasoning decision produces a tamper-proof evidence chain. Each entry is hash-linked to the previous, creating an immutable audit log. SHA-256 verified. 7-year retention capable.

Tamper-proof Merkle-chain evidence per session

CI/CD Quality Gate

graq_gate returns a binary pass/fail verdict for your CI pipeline. Upload results as SARIF to GitHub Security tab. Block merges when governance scores drop below your threshold.

Binary exit 0/1 with SARIF output

Secrets & IP Detection

201-pattern scanner detects API keys, tokens, private keys, credentials, and patent-adjacent logic before they reach your repository. Runs pre-commit and in CI.

201 curated detection patterns

Your Keys, Your Backends

Connect any of 14 LLM providers using your own API keys. Run Ollama for 100% air-gapped operation. We never see, store, or proxy your API keys.

14 backends including fully offline Ollama

Real-World Evidence

Security in practice, not just in theory

Security Audit

5 Hidden Security Holes in One Review

A one-line fix triggered a full security review. GraQle found 3 BLOCKERs (open redirect, XSS, silent auth bypass) and 2 MAJORs that had been shipping to production.

“We asked GraQle to review one line. It found five security holes.”

9 agents · 96% confidence · $0.50

Prediction

Predicted Auth Lockout Before It Happened

After a deny-by-default middleware change, graq_predict identified an OAuth callback loop that would have locked out 100% of SSO users. 3 prediction nodes written to KG as permanent warning.

“GraQle predicted a failure mode we would have discovered during our first enterprise onboarding.”

93% confidence · 5 causal edges · $0.01

Compliance

Security Headers Were Already Written

6 security headers existed but an early-return guard bypassed them for static assets. What looked like a week-long implementation was a one-line fix. GraQle found the existing code.

“The most expensive bug is the one hiding behind code that already exists.”

94% confidence · 5 nodes · 1-line fix

graq_workflow — full governance pipeline

GraQle workflow chain — graq_workflow orchestrating gate approval, file read, CSS variable discovery in one governed pipeline

Real output: graq_workflow orchestrating governance gate, file read, and exact variable discovery — all in one governed pipeline.

Infrastructure

Infrastructure stack

Built on AWS. Local-first by default. Cloud features locked to eu-central-1 (Frankfurt).

Compute

AWS Lambda

Serverless API — auto-scaling, no persistent state

AWS Amplify

Frontend hosting with CI/CD — eu-central-1

AI / Reasoning

AWS Bedrock

Claude Opus 4.6 — EU-only inference profiles

14 LLM Backends

Anthropic, OpenAI, Ollama, Gemini, Groq, DeepSeek + 8 more

Storage

Local JSON Graph

Default — zero cloud, zero infrastructure

Neo4j (opt-in)

Self-hosted graph database for team shared state

S3 (opt-in)

Cloud sync for multi-device — AES-256 encrypted

Identity

AWS Cognito

MFA, JWT validation, token rotation — eu-central-1

IAM Policies

Least-privilege access — no admin keys in runtime

Network

CloudFront CDN

TLS 1.3, HSTS preload, global edge distribution

Route 53

DNS management, DNSSEC-ready

CSP Headers

Strict Content-Security-Policy on all routes

Payments

Stripe

PCI DSS Level 1 — no card data touches our servers

Compliance

Compliance & regulatory alignment

GraQle's governance scoring and audit trails are designed for regulated environments.

SOC 2 Type II

Aligned

DRACE audit trails map directly to SOC 2 control objectives. Evidence chains exportable.

ISO 27001

Aligned

Hash-chained evidence chains and governance scoring satisfy information security audit requirements.

GDPR

Compliant

No personal data collection. No telemetry. No tracking. Local-first by default. Nothing to delete.

EU AI Act

Ready

DRACE governance scoring and audit trails align with Articles 9, 12, 13, 14 transparency requirements.

Operations

Operational security

Encryption

AES-256 at rest (all storage). TLS 1.3 in transit. AWS KMS managed keys. HSTS preload on all endpoints.

Zero Telemetry

No analytics. No usage tracking. No fingerprinting. stdio-only transport for local operation. Cloud features are opt-in only.

No Persistent State

Lambda functions are stateless. No session data stored server-side. JWT tokens validated on every request. Token rotation enforced.

Incident Response

Automated alerting on anomalous access patterns. CloudWatch monitoring on all Lambda functions. Runbook-driven response process.

FAQ

Security FAQ

Responsible Disclosure

We welcome responsible security research. If you discover a vulnerability, report it to security@graqle.com.

Acknowledgment within 24 hours · First update within 72 hours

Need more detail?

Install GraQle, run the quality gate, and get governed AI analysis in under 60 seconds. Or reach out for enterprise security documentation.

terminal

$ pip install graqle && graq scan repo .

$ graq gate --ci

→ GATE: CLEAR (DRACE 0.87) | 0 secrets | audit trail written

Get started free Request security docs