Architectural controls,
not unsupported promises
Decisionproof treats your run data as sensitive, your audit trail as load-bearing, and your payment information as not ours to store. The controls below are design-level — they are not third-party certifications, and we don't pretend otherwise.
Run metadata is logged
Decisionproof records run metadata, state transitions, receipt records, settlement amounts, and result references needed for auditability. Raw input and result-body handling are governed by the applicable data handling and retention policy. Exports from your dashboard are available under the applicable retention tier: Sandbox includes Hot online access for 30 days by default; Cold Archive and Deep Archive are available only where included in the customer's plan or contract.
Tamper-evident audit evidence
Audit evidence is designed to be append-only and tamper-evident. Write-once, read-many (WORM) backing storage is a design target; specific WORM enforcement is plan- and contract-dependent and is not promised by default during Sandbox beta. Lifecycle retention, personal-data deletion requests, legal holds, and security/audit obligations are handled separately under the applicable data handling policy and customer contract.
Sandbox payments via PayPal
Decisionproof does not store card numbers or payment credentials. Sandbox payments are processed through PayPal during the paid private beta. Card payment may be available through PayPal guest checkout for eligible buyers, depending on the flow PayPal presents. B2B Design Partner engagements are contracted separately and billed through manual invoice, bank remittance, and applicable tax-invoice workflows.
API-key auth — no OAuth complexity
Access to the run API is controlled via API keys you create and revoke from your dashboard. Keys can be rotated instantly. No OAuth flows, no token refresh logic to manage on your side. (Sign-in to the dashboard itself uses Google OAuth.)
Deterministic recovery
Runs follow an idempotent state machine with lease-based workers, staged finalize, and a reaper reconciliation loop. Recovery from crashes, timeouts, and retries is deterministic by design — not a claim about AI inference determinism.
Per-run spend caps & receipts
Every run carries a per-run spend cap
(reservation.max_cost_usd) — the maximum USD
amount reserved for a single run, not an account-level or
monthly budget. Budget is reserved before work starts. Cost is
committed only when the result artifact and its receipt metadata
are captured — no receipt, no settlement.
Tenant data isolation
Your run data is scoped to your workspace. There is no shared data layer across tenants. API keys only authorize access to your own tenant's runs, receipts, and audit records.
A note on Sandbox paid private beta
Decisionproof is in Sandbox paid private beta. The service runs on AWS (EKS, RDS, ElastiCache, S3) using production-grade configuration, but we do not publish uptime SLAs during the Sandbox beta period. APIs, limits, and operational defaults may change.
We do not claim third-party compliance certifications or regulatory coverage during the Sandbox paid private beta. The controls on this page are architectural — not certifications. If your use case requires a named certification, Decisionproof may not be the right fit at this time.
If you experience an outage or unexpected behaviour, contact ghilplip934@gmail.com. Sandbox support is email-based and best effort, with a target first response within 1 business day; there is no 24/7 on-call, no phone support, and no uptime SLA for Sandbox. Design Partner support targets are defined in the signed pilot agreement and support playbook, not in this Sandbox note. Commercial refund requests are reviewed case-by-case within 48 hours of purchase; non-waivable consumer-protection rights in your jurisdiction are preserved separately — see the billing FAQ and the Terms of Use.
Questions about security?
Sandbox security & compliance enquiries: email support, best effort, target first response within 1 business day.