Skip to content
Gestalt

Biometric template posture

Status: customer boundary doc. Required topic no_raw_biometric_storage from contracts/production-admission.v0.json customer_boundary_lane.required_doc_topics. The filename no-raw-biometric-storage.md is the canonical mapping for that required topic; the heading is rephrased to avoid asserting the forbidden claim phrase as a positive title.

Posture

Section titled “Posture”

Gestalt does not store, accept, or transit biometric template material. The HumanAuth surface is built on WebAuthn passkeys. The membrane records:

  • A credential ID hash.
  • The public verification material for the credential.
  • Replay status for challenges.

The membrane refuses, and never persists, any of:

  • Plaintext credential IDs.
  • Private key material.
  • Biometric template material (fingerprint, face, voice, or otherwise).

The platform authenticator on the user’s device does the biometric match locally and returns a WebAuthn assertion. Only the assertion shape — credential ID hash plus public verification material — reaches Gestalt.

How the membrane enforces this

Section titled “How the membrane enforces this”

The HumanAuth operations relevant here are:

  • humanAuth.passkeyImport (staging-durable) — imports credential ID hash plus public verification material only.
  • humanAuth.verifyPasskey (staging-durable) — verifies an imported ES256 WebAuthn assertion.
  • humanAuth.faceMatchFallback (shape-only) — see CPU face-match fallback policy.

Maturity labels are taken from contracts/production-admission.v0.json operation_maturity. None of these operations is admitted to production today. A signed pilot admission record can name specific HumanAuth operations as admitted; nothing else is admitted.

What this means for the pilot customer

Section titled “What this means for the pilot customer”

A pilot customer onboarding their staff onto Gestalt:

  • Provisions passkeys with each user’s platform authenticator.
  • Sees only credential ID hashes and public keys persisted on the Gestalt side.
  • Cannot extract a biometric template from Gestalt because Gestalt never had one.

A subject access request for “the biometric data Gestalt holds about me” returns the empty answer because the contract does not allow that class of data on the membrane.

Per customer_boundary_lane.forbidden_doc_claims, the phrase appearing in this doc as a forbidden claim is enforced by deploy/hetzner-cloudflare/m56-doc-claim-check.sh.

Gestalt does not perform raw biometric storage, and does not accept biometric template material on the membrane. This is enforced by the contract, not by policy alone.

See also

Section titled “See also”