Security · Privacy · Trust

Security whitepaper

Architecture-level security and privacy controls for enterprise review. Extends the Trust Center with threat model, cryptography, access control, and known limitations. Pilot-ready — not Enterprise GA.

Security principles

Local-first processing

Scan, policy evaluation, and evidence storage default to the macOS endpoint.

Metadata-only credentials

Provider, storage type, and fingerprint — never raw API keys or tokens.

Evidence separation

localRawEvidence never uploads; sharedOrgEvidence is signed and allowlisted.

CoverageGap-first

Missing data is explicit — no silent pass or implicit fallback.

Cryptographic integrity

Hash-chain journal with encrypted journal payloads; Ed25519 signed exports. Journal payloads are encrypted; inventory tables are metadata-only but not encrypted in the current release.

Explicit consent

Keychain and sensitive sources require machine-verifiable approval.

Trust boundaries

Two-tier model: macOS endpoint (Tier 1) and org governance plane (Tier 2). Policy evaluation stays on the endpoint. Automated upload path carries sharedOrgEvidence only — signed, allowlisted, tenant-scoped. localRawEvidence (SQLite, full reports, journal bodies) never transits the upload API.

MDM delivers install and org-policy overlay in parallel — BeProof does not replace MDM, EDR, or SIEM.

Threat mitigations

ThreatPrimary mitigation
Secret exfiltration via cloudMetadata-only upstream; ingestion denylist rejects raw secrets and DB paths
Forged fleet summaryEd25519 signature verified against enrolled device key registry
Tampered local evidenceAppend-only hash chain — verify-journal detects seq and hash breaks
Cross-tenant admin accesstenantId scope + RBAC on API and UI; integration tests deny cross-tenant reads
Tampered release artifactSigned, notarized DMG + verify-install + published SBOM/provenance
Keychain scan without approvalConsent ledger (POL-G02) in addition to TCC/PPPC where applicable

Cryptography

DomainAlgorithmScopeKey material
Journal at restAES-256-GCM (aes-256-gcm-v1)evidence_journal.payload_jsonKeychain per database path
Export / fleet signingEd25519 (ed25519-v1)Export manifests and FleetSummaryPayloadKeychain export-signing
TransportTLS 1.2+Endpoint API, admin UI, cloud connectorsPlatform / HTTPS
Cloud SQLGCP platform encryptionTenant governance metadataGoogle-managed (pilot)

Journal payloads are encrypted; inventory tables are metadata-only but not encrypted in the current release.

Verify CLI

Four non-interchangeable commands. GRC recipients without the Mac use verify-export-manifest. Auditors on the scanning endpoint add verify-journal.

CommandProvesLocal DB
beproof verify-journalHash chain, seq continuity, journal encryption statusYes
beproof verify-exportSignature + manifest + journal linkageYes (linkage)
beproof verify-export-manifestArtifact SHA256, manifest hash, Ed25519 signatureNo
beproof verify-installApp signature, notarization, provenance/SBOMNo

Access control (pilot)

Admin console

Firebase email/password (pilot). Roles: org_admin, security_analyst, fleet_admin, auditor_readonly. SAML/OIDC enterprise IdP — post-GA.

Fleet enrollment

One-time admin-issued tokens. Device JWT at enroll, bound to tenant. Personal mode cannot fleet-enroll.

Release trust (POL-X13)

Overall control status: Partial — public pipeline is shipped; enterprise release controls remain on the Enterprise GA roadmap.

Public release pipeline (shipped)

  • Signed and notarized macOS DMG from public GitHub releases
  • SBOM and provenance published alongside each release
  • CI gate: beproof verify-install on release artifacts
  • Managed endpoints: Sparkle disabled when org overlay present — MDM PKG authority

Enterprise release controls (partial)

Fleet-wide verify-install attestation in control plane, tenant-private or air-gapped artifact mirror, org-enforced minimum release version policy, and automated MDM promotion workflow — manual MDM runbooks today.

Known limitations

Security review should explicitly accept these residual risks:

  • Partial cloud visibility without configured provider admin APIs
  • Journal payloads are encrypted; inventory tables are metadata-only but not encrypted in the current release.
  • Root on an unlocked Mac defeats Keychain-bound keys
  • Detection and reporting only — no runtime blocking of AI agents
  • Pilot cloud: shared tier, no CMEK, best-effort uptime
  • Apple Silicon (arm64) only — Intel not supported

Security review checklist

  • Accept metadata-only upstream model (sharedOrgEvidence allowlist)
  • Confirm MDM overlay and PPPC for pilot ring
  • Validate consent model for keychain-inclusive scans
  • Confirm verify CLI workflow for GRC handoff
  • Review tenant isolation and admin auth model
  • Review retention and subprocessors in Procurement FAQ
  • Document accepted residual risks above

Related documentation