Security & Compliance

Zero-LLM governance, latency SLOs, regulatory readiness

Security & Compliance

Nexus is built for teams that cannot afford silent agent failures or unauditable tool execution.

Platform guarantees

Zero-LLM token governance

Unlike prompt-based guardrails that route safety checks through a secondary LLM (adding seconds of latency and token cost), Nexus evaluates execution payloads against compiled NPL rules entirely in-memory.

MetricValue
p50 latency (policy path)~160 ms
p99 latency (policy path)< 201 ms
Token cost on gate0

Fail-closed enforcement

Production tenants default to fail-closed behavior:

  • Policy evaluation errors return 503 with stable error codes, not silent allow
  • Missing AgentIAM credentials block tool execution
  • Malformed MCP JSON-RPC is rejected before backend contact

Native regulatory readiness

Nexus maps to institutional control frameworks out of the box:

FrameworkNexus surface
EU AI ActConformity bundles, Annex IV exports, FRIA workflows
DORAICT incident classification, operational resilience dashboards
MiFID II / EMIR / SFDRCompliance API endpoints and pre-trade checks

See EU AI Act, DORA readiness, and Compliance exports.

Security baseline

ControlImplementation
TransportTLS 1.2+, HSTS preload
API keysHashed at rest, constant-time verify, scoped permissions
Tenant isolationRow-level security on all tenant data
Audit logAppend-only, hash-chained, 7-year retention default
Kill switchGlobal and per-agent credential revoke with in-flight abort
MFAWebAuthn passkeys, device trust, behavioral attestation

Authentication surfaces

ActorMechanism
Console usersPasskeys + MFA (see Authentication)
IntegrationsAPI keys (hdl_ platform, hnx_ tenant)
AgentsAgentIAM Ed25519 credentials

Transparency

Every policy reference in Nexus can pin an open, versioned URI from hardalion/npl-spec. Auditors can independently verify policy semantics without trusting black-box prompts.

Incident response

Operators can trigger emergency stop via Kill Switch v2:

curl -X POST "https://api.hardalion.com/api/v2/infrastructure/kill-switch/global" \
  -H "Authorization: Bearer $API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"reason":"security_incident","scope":"tenant"}'

Requires elevated scope. All kill-switch activations append to the audit log with correlation IDs.

Procurement artifacts

Enterprise pilots receive SOC 2 control mappings, penetration test summaries, and data processing agreement templates on request. Contact hardalion.com.