Skip to content
Gestalt

Privacy posture

Status: customer boundary doc. Required topic privacy_posture from contracts/production-admission.v0.json customer_boundary_lane.required_doc_topics. The docs MUST match runtime route labels and proof behaviour (customer_boundary_lane.consistency_invariants).

Minimisation

Section titled “Minimisation”

Gestalt is built around minimisation as a runtime property, not a documentation aspiration. Operations that would otherwise carry sensitive material refuse the raw form and accept a hash or a reference instead.

  • company.bootstrap requires legal_name_hash and register_hash; raw register payloads and raw legal names are refused.
  • HumanAuth passkey operations record a credential ID hash and public verification material; raw credential IDs, private keys, and biometric template material are refused.
  • Connector ingest accepts hash-only evidence references; raw connector payloads and credential secrets are refused.
  • Incident receipts record hash-only alert, mitigation, and communications material; raw incident payloads are refused.
  • Read models project tenant-scoped summaries derived from durable records with explicit citations; the underlying store is not exposed.

The refusals are not advisory. The membrane returns a stable refusal code from contracts/refusal-codes.v0.json and records the refusal as durable evidence.

What Gestalt cannot see

Section titled “What Gestalt cannot see”

By construction, Gestalt does not have:

  • The plaintext register filing for a company.
  • The plaintext credential ID, private key, or biometric template for a passkey.
  • The plaintext credential secret for a connector.
  • The plaintext payload of an incident.

A pilot customer can verify this against the contract. Every operation that handles one of the above classes states the hash-only constraint in its membrane definition, and the central evaluator refuses if a raw form is supplied.

Receipts and refusals

Section titled “Receipts and refusals”

Every membrane response carries:

  • receipt.fixture — true today on every receipt. Production admission for a specific operation requires a signed pilot admission record.
  • body.productionAdmission — false today on every body that includes it.
  • A stable refusal code if the call refused.

A pilot customer who sees a refusal code can look it up in docs/reference/refusal-codes.md and see exactly why the operation refused, without reading source code or contacting support.

Subject rights

Section titled “Subject rights”

Subject access and erasure operate on the durable records actually persisted, not on speculative plaintext. Because Gestalt holds hashes and references, a subject access request returns:

  • The references the subject is associated with (for example a passkey credential ID hash).
  • The receipts and refusals tied to those references.
  • The proof bundle citations that include those receipts.

Erasure removes the durable association where the operation supports it, subject to the constraints in Data retention and deletion. Hashes that were used as evidence in a sealed proof bundle are not retroactively mutable; the proof bundle’s commitment is part of the record’s authenticity.

See also

Section titled “See also”