Trust & Reliability

We don't just claim reliability — we prove it daily with automated audits and publicly visible results.

Live Stability Metrics

Stability percentage from the last 10 daily audits. The threshold line marks our 95% minimum — anything below triggers an immediate alert.

No audit history available yet. Data will appear after the first daily benchmark run.

The Shadow Auditor

Every day at 06:00 UTC, an independent automated system fires 5,000 synthetic requests at the live production API — the same endpoints your application calls. No staging servers. No shortcuts. Real infrastructure, real results.

After the requests complete, a second process compares 1,000 golden records against historical baselines. If any response drifts from the expected behavior — a different verdict, a shifted confidence score, an unexpected edge-case result — our team is alerted immediately.

The results you see on this page come directly from that pipeline. Nothing is curated. Nothing is cherry-picked. This is raw production telemetry, updated every 24 hours.

The 3-Layer Defense

Each daily audit covers three categories of test data, totaling 5,000 requests.

Valid Signals

3,500 tests

Full-fidelity requests with complete, realistic signal data. These test the happy path — verifying that A3 returns correct age assessments for well-formed inputs across all supported demographics.

Invalid Signals

750 tests

Deliberately malformed, incomplete, or out-of-range inputs. These test defensive behavior — verifying that A3 rejects bad data gracefully and never returns a false-positive age assessment.

Edge Cases

750 tests

Boundary conditions, unusual signal combinations, and adversarial patterns. These test resilience — verifying consistent behavior in the gray areas where most systems break down.

Security Architecture

A detailed overview of how A3 protects your data at every layer — from request to response.

Zero-Retention Architecture

A3 is built on a stateless, zero-retention model. Every API request follows the same lifecycle:

Receive — the request arrives at the Lambda Function URL via the Zuplo API gateway.
Authenticate — the API key is validated using timing-safe constant-time comparison.
Score — the two-phase signal fusion engine computes the age assessment entirely in-memory.
Sign — the verdict is signed into an HMAC-SHA256 verification token and returned to the customer.
Purge — the request payload is discarded from memory. Nothing is written to disk, database, or persistent storage.

There is no database. No cache. No queue. No S3 bucket for request data. The Lambda execution environment is ephemeral — each cold start begins with a clean state. Even during a hypothetical breach, an attacker would find no stored request data to exfiltrate.

Encryption

In Transit

All traffic is encrypted via TLS 1.3. The API enforces HTTPS-only connections. Older TLS versions (1.0, 1.1) are rejected at the gateway level.

At Rest

Operational secrets (signing keys, API keys) are encrypted using AES-256 via AWS KMS. Billing ledger logs in CloudWatch are encrypted with AWS-managed keys. There is no request data at rest to encrypt.

Cryptographic Receipts

Every age assessment returns an HMAC-SHA256 signed verification token. The token format is base64url(payload).base64url(signature). The payload contains only the verdict, bracket, confidence, and timestamp — no PII. Customers store the token in their own logs for audit trails and dispute resolution. Token verification is a free, read-only API call.

Authentication & Access Controls

API Key Validation: All requests are authenticated via cryptographic API keys validated with timing-safe constant-time comparison (Node.js crypto.timingSafeEqual), preventing timing-based credential attacks.
Fail-Closed Design: If the API key environment variable is not configured, the service refuses to start in production and staging environments. The API is never accidentally unauthenticated.
Gateway Rate Limiting: The Zuplo API gateway enforces per-key rate limits before requests reach the Lambda function. Abuse triggers automatic throttling.
Zero Long-Lived Credentials: CI/CD pipelines authenticate to AWS via GitHub OIDC federation — no static AWS access keys are stored in CI. Local development uses 1Password secret references.
Billing Ledger Isolation: The billing log stores only a one-way SHA-256 hash of the API key. Raw keys cannot be recovered from the ledger. The billing stream is physically isolated from the scoring engine.

Infrastructure Isolation

Serverless Compute: A3 runs on AWS Lambda with Function URLs. There are no EC2 instances, containers, or persistent servers to patch, harden, or monitor. The attack surface is minimal.
No Database: The service is entirely stateless. There is no RDS, DynamoDB, Redis, or any other data store. This eliminates entire categories of attacks: SQL injection, NoSQL injection, cache poisoning, and unauthorized data access.
Multi-Account Architecture: Production compute, benchmark infrastructure, and audit pipelines run in separate AWS accounts with dedicated IAM boundaries. A compromise in one account does not grant access to another.
Region Pinning: All infrastructure is deployed exclusively in us-west-2. Data never leaves US soil.
Input Validation: All API inputs are validated via strict DTO schemas with whitelist-mode enforcement. Unknown fields are rejected, not silently ignored. Enum values, numeric ranges, and string patterns are all enforced at the framework level before reaching business logic.

Data Classification

A3 operates three physically isolated log streams with strict data classification boundaries:

Stream	Contains	Excludes	Retention
Analytics	Event type, verdict, signal count, region (hourly granularity)	Session IDs, user identifiers, behavioral values, evidence tags	90 days
Billing	Timestamp, API key hash (SHA-256), request status, region	All assessment data, behavioral metrics, verdicts, raw API keys	7 years
Errors	HTTP method, path, status code, stack trace (5xx only)	Request bodies, user data, API keys	90 days

The analytics stream uses k-anonymity principles: timestamps are truncated to the hour, and no combination of logged fields can identify an individual user or session.

Incident Response

We maintain a formal incident response plan with four severity tiers, defined response times, and communication procedures:

SEV-1 Critical

Confirmed unauthorized access, key compromise, or data breach. Response within 1 hour. Customer notification within 72 hours.

SEV-2 High

Suspected attack attempts, critical dependency vulnerabilities, or partial outages. Response within 4 hours.

SEV-3 Medium

Blocked attacks, non-critical vulnerabilities, single-customer issues. Response within 24 hours.

SEV-4 Low

Informational alerts and advisory updates. Response within 7 days.

Our zero-retention architecture is our strongest incident mitigation: even in a worst-case breach, there is no stored request data to exfiltrate. The most sensitive asset is the HMAC signing key, which can be rotated immediately. Previously signed tokens contain no PII and cannot be used to reconstruct user identities.

Compliance Alignment

California AB 1043: A3's two-phase signal fusion engine implements the statutory framework at §1798.501(b)(3) — OS signal as primary, override only at the “clear and convincing” standard. Cryptographic receipts enable “good faith reliance” audit trails.
CCPA: Zero data retention naturally satisfies Data Minimization and Storage Limitation mandates. We do not sell or share personal information. CCPA rights (Know, Delete, Correct, Non-Discrimination) are supported.
COPPA: A3 is a B2B tool that does not directly interact with children. Our zero-retention model aligns with COPPA's data minimization principles.
Geographic Scope: The A3 API is available exclusively within the United States. EU/EEA/UK country codes are automatically rejected at the API level.

Responsible Disclosure

If you discover a security vulnerability in A3, please report it responsibly to [email protected]. We commit to:

Acknowledging your report within 48 hours
Providing an initial assessment within 5 business days
Keeping you informed of remediation progress
Crediting researchers who report valid vulnerabilities (with consent)

Our security contact information is also published at /.well-known/security.txt per RFC 9116.

Loading…

Stream

Contains

Excludes

Retention

Analytics

Event type, verdict, signal count, region (hourly granularity)

Session IDs, user identifiers, behavioral values, evidence tags

90 days

Billing

Timestamp, API key hash (SHA-256), request status, region

All assessment data, behavioral metrics, verdicts, raw API keys

7 years

Errors

HTTP method, path, status code, stack trace (5xx only)

Request bodies, user data, API keys

90 days