Security posture
- Zero-Trust enforcement (DEC OpenUTM). Every uplink on an OpenUTM appliance is evaluated equally by the AI-assisted policy engine. No direction is implicitly trusted — traffic moving between internal segments is inspected with the same rigor as traffic arriving from the Internet. LAN and WAN are architectural facts, not trust boundaries.
- Identical hardening across editions. Community, Standard, Professional, Enterprise, Platinum, Signature — the appliance image is the same. The license file gates capabilities and support, not security controls.
- Signed releases. Every release is signed by a DEC-LLC release key (ECDSA-P-256 + SHA-256). The pubkey ships with every appliance; the private key never leaves DEC-LLC's signing infrastructure.
- Defense-in-depth. SELinux-enforcing profiles, immutable system partitions, tamper-evident audit trails, integrity baselines with SHA-256 manifest verification.
- Local-AI by design. All AI inference runs locally on the appliance (Ollama-backed). Customer data never traverses DEC-LLC infrastructure.
- No call-home dependency. Appliances run whether or not they can reach DEC-LLC. Licensing, analytics, and telemetry are off by default and customer-configurable when enabled.
Reporting a vulnerability
We welcome responsible disclosure. If you have found a vulnerability in any DEC-LLC product or on dec-llc.biz infrastructure:
- Email: security@dec-llc.biz
- PGP: key and fingerprint pending publication — please send plain-text email in the interim and we will coordinate an encrypted channel on response.
- Response target: acknowledgement within 2 business days, triage within 5 business days, fix timeline communicated within 10 business days.
- Safe harbor: Good-faith security research against your own deployment or a test tenant will not result in legal action. Please do not attack production customer infrastructure.
A /.well-known/security.txt advertises the above on every DEC-LLC web property.
Compliance certification posture
We take compliance certifications seriously — which is why we do not speculatively pursue them ahead of committed customer demand. Each certification below is a 12–24 month engagement that requires dedicated audit budget and infrastructure-under-scope. We begin that work when an enterprise customer with a certification requirement contracts with us and the certification is written into the engagement.
Under active customer evaluation we are happy to:
- Share draft policy packages and control-evidence inventories under NDA
- Pre-populate audit artifacts (risk register, access-control matrix, change-management runbook)
- Schedule the certification engagement to start alongside the pilot
Roadmap — engaged when a customer commits
| Certification |
Status |
Typical customer driver |
| SOC 2 Type I | Scoped; ready to engage | SaaS / enterprise procurement requirement |
| SOC 2 Type II | Follows Type I by 12 months | SaaS / enterprise procurement requirement |
| ISO 27001 | Scoped; ready to engage | International enterprise procurement |
| CMMC Level 2 | Scoped; ready to engage | Federal contractor / DoD supply chain |
| FedRAMP Moderate | Evaluating — major infra + ops commitment | Federal direct deployment |
Certifications require revenue to fund the audit cycle and dedicated infrastructure to hold the control boundary. We're transparent about the sequencing: revenue first, certification committed alongside the customer contracting for it, audit engagement starts at contract signing. That way the certification corresponds to a real control environment being exercised by a real customer — not a shelf document produced ahead of demand.
Security artifacts available under NDA
- SBOM (Software Bill of Materials) per release
- Architecture + threat-model documentation per product
- Penetration-test summaries (once engaged)
- Incident-response playbook
- Recovery-key custody procedures
Request: security@dec-llc.biz