What keeps the ledger honest

We hold keys, PII, and real money.
So we built like it.

Orgs handles Social Security Numbers during EIN application, Ed25519 signing keys for your governance, and bank-account credentials for your treasury. Here is what we do about each.

§ I

Cryptographic identity

Every member, agent, and entity has a W3C-compatible DID in the did:oas namespace. Identity is Ed25519-anchored. Signatures can be verified offline by anyone with the public key. We never issue a DID without a proof of lineage back to a human root — a rule baked into the protocol, not just our policy.

Technical
DID format
did:oas:wy:llc:0001423
Ed25519
64-byte signatures
Lineage
HKDF-SHA256 derivation
§ II

Key management

Private keys exist in plaintext only during signing operations, in RAM, with zeroize-on-drop guarantees enforced in Rust. Keys at rest are encrypted with a user-owned passphrase via Arsenal vault, our credential broker. We never have plaintext access. Hardware keys (YubiKey, Ledger) supported for founder operations.

Technical
At rest
AES-256-GCM
In memory
zeroize(1)
Hardware
FIDO2 · PGP slots · Ledger
§ III

PII handling (SSN/ITIN)

During EIN application, we process SSN or ITIN. It flows through the system once: SensitiveData<String> → Computer Use agent (structured tool input, not in system prompt) → IRS form → zeroized. We never log PII at any level. Screenshots from EIN filings are passed through a PII redactor before storage — SSN/ITIN regions are blacked out with pixel-accuracy, or the screenshot is discarded.

Technical
Wrapper
SensitiveData (no Debug/Clone)
In transit
TLS 1.3 · no local log
Screenshots
redact-before-store
§ IV

Audit chain

Every state change is written to an append-only ledger with BLAKE3 hash chaining. Each entry includes: timestamp, actor DID, action, targets, policy invoked, previous hash, new hash, and an Ed25519 signature. Chains are discoverable as business records under FRE 803(6). Retention default 7 years; extendable to match FINRA 17a-4 if your entity requires it.

Technical
Hash
BLAKE3
Retention
7yr default · 99yr max
Format
JSONL · CSV · Parquet export
§ V

Chain adapter verification

Governance actions that require chain execution (votes, spends) never update local state optimistically. We submit the transaction, wait for confirmation, verify the receipt matches intent, and only then update local state. If a chain adapter returns a mismatch, the action is flagged for human review. No silent state corruption.

Technical
Confirmation
finalized state
Mismatch
freeze + escalate
Adapters
Solana · Sigil · Ethereum · mock
§ VI

Computer Use agent boundaries

The filing agent (Anthropic Computer Use) runs in a browser sandbox with no filesystem, database, or platform-state access. It receives structured tool inputs (not free-text prompts containing PII), performs the form interaction, screenshots every step (pre-redaction), and returns structured results. Transcripts are stored with PII fields replaced by [REDACTED].

Technical
Sandbox
browser-only
Input format
structured tool input
Transcripts
PII-redacted storage
§ VII

Response protocol

If you discover a vulnerability, email security@orgs.sh. Encrypted: PGP key fingerprint 4F8A:7B19:...:C2D6. We commit to a 24-hour acknowledgment and a 90-day disclosure window. We pay bounties from $500 to $25,000 depending on severity, via the Orgs Security Research Program.

Technical
Contact
security@orgs.sh
PGP
4F8A:7B19:...:C2D6
Bounty
$500 — $25,000
§ Compliance Certifications
SOC 2 Type II
In progress · report expected Q3 2026
ISO 27001
Planned · Q4 2026
W-9 / 1099
Issued annually for all disbursements
GLBA
Applies; Safeguards Rule compliance documented

Security is not a feature.
It is the premise.

Security docs →security@orgs.sh