Legal and Compliance
Status: customer boundary docs. This section is the prose companion to the runtime gate defined in
contracts/production-admission.v0.json. It exists so a real pilot customer, their counsel, and their compliance reviewer can read what Gestalt will and will not do without inferring it from source code.
The runtime is the authority. Every page here cites the contract section that drives it. If a page disagrees with the contract, the contract wins and the page is wrong.
What “production admission” means here
Section titled “What “production admission” means here”Production admission is globally disabled by default. The central
evaluator returns production_admission_disabled_by_default for any
operation that has not been admitted by a signed pilot record. A clean
operation in scope returns candidate_pending. An operation is only
admitted if a signed pilot admission record exists and lists that
operation in its admitted set; any operation not in that set continues
to refuse. Period close is candidate-only in v0.
See contracts/production-admission.v0.json
pilot_admission_lane.admitted_outcome_stable_code and the
evaluator_pilot_refusals list for the stable codes returned by the
evaluator.
- Data processing posture — what data Gestalt does and does not accept on the membrane today.
- Privacy posture — minimisation, hash-only ingest, redaction, and what Gestalt cannot see.
- Biometric template posture — passkey posture and the absence of biometric template persistence.
- CPU face-match fallback policy —
why the face-match operation is
shape-onlyand what would be required to enable it. - Connector credential policy — what hits the membrane vs. what stays at the connector.
- Data retention and deletion — default retention, deletion semantics, and what cannot be deleted.
- Pilot terms and excluded operations — what a signed pilot admission record actually covers.
- Public claims review — the phrases the product, sales, and marketing surface must not assert.