Security

Public keys are used for verification. Signing keys are managed server-side with rotation support.

Provenance events are append-only and support technical audit trails for customer review.

We store hashes and signed metadata only, never raw content.

Webhook deliveries are signed with HMAC for verification.