Security, compliance, immutable refusals.
Everything is public.
No hidden argument, no closed brochure. Anything that can be reviewed is reviewable. Anything that can be proven is GPG-signed. The four refusals are encoded in the source.
Regulatory frameworks covered
| Framework | Pilot | Boot | Operate | Augment | Sovereign |
|---|---|---|---|---|---|
| GDPR | ✓ | ✓ | ✓ | ✓ | ✓ |
| DPA art. 28 | ✓ | ✓ | ✓ | ✓ | ✓ |
| ISO 27001 readiness | — | — | ✓ | ✓ | ✓ |
| ISO 27001 certified | — | — | — | ✓ | ✓ |
| NIS2 | — | — | — | ✓ | ✓ |
| DORA | — | — | — | module | ✓ |
| CSRD reporting | — | — | ✓ | ✓ | ✓ |
| SecNumCloud | — | — | — | — | ✓ |
| HDS | — | — | — | module | ✓ |
| ITAR / dual-use | — | — | — | — | ✓ |
| GPG-signed reasoning trail | — | — | ✓ | ✓ | ✓ |
| Air-gap | — | — | — | — | ✓ |
| Codebase reviewed by external party | — | — | — | — | ✓ |
What the exocortex will always refuse
- KYC
No action under the client's identity. KYC remains the personal commitment of the executive.
exior/governance/redlines.py:KYC
- Payment action
No payment, transfer or direct debit initiated without a validated human signature.
exior/governance/redlines.py:PAYMENT_ACTION
- First-touch editorial
No outbound communication on behalf of the client without explicit prior validation.
exior/governance/redlines.py:FIRST_TOUCH_EDITORIAL
- Irreversible external destruction
No deletion, overwrite or unpublishing of an external asset that cannot be recovered.
exior/governance/redlines.py:IRREVERSIBLE_EXTERNAL_DESTRUCTION
Public technical security
/legal/threat-model
Encryption policy/legal/encryption-policy
Incident response plan/legal/incident-response
Retention policy/legal/data-retention
Pen-test policy/legal/pentests
Access control policy/legal/access-control
Business continuity plan/legal/business-continuity
GDPR DPA/legal/dpa-rgpd
Legal notices/legal/mentions-legales
Responsible disclosure
Found a vulnerability? Report via security@exior.co. Private bug-bounty programme for verified researchers. Initial response within 48 hours. Critical patch within 7 days. Public disclosure coordinated after remediation.