Security & compliance
This page is a status snapshot: what we have, what we're building, and how we ship evidence to your auditor. Last updated 2026-06-23.
The TL;DR
- All traffic over TLS 1.3 with HSTS
- Tokens scoped at creation, rotatable in one click
- FROST 3-of-5 ed25519 signing on every receipt — no single-process key reconstruction
- Region pinning for EU residency (works for Compute, Object Store, JouleDB, Inference)
- Signed receipts double as primary evidence for CSRD E1 Scope 2 and AI Act Annex XI
- SOC 2 Type 2 readiness audit in flight; target attestation Q4 2026
How the keys work
Every receipt we issue is signed with an ed25519 signature produced by a 3-of-5 FROST quorum. FROST is the IETF threshold-signature standard (RFC 9591). What it means in practice:
- The signing key never exists as a single secret. It is split across five signers (separate Rust binaries, separate hardware tokens, separate operators).
- Any three of those signers can produce a valid signature; fewer than three cannot.
- Even a compromise of two signers cannot forge a receipt.
- The verifier needs only the public group key (published per-operator) to verify any receipt.
The jc receipt verify command and a standalone jouleclaw verify Rust binary perform the verification, both open-source. See Energy receipts.
Tokens
Tokens are scoped at creation. Five canonical scopes:
| Scope | Can |
|---|---|
inference | Call /v1 inference endpoints. Nothing else. |
read | Read workloads, receipts, balances, configs. |
deploy | Above + create, update, delete workloads / databases / buckets. |
billing-admin | Above + top up / refund / change payment methods. |
account-admin | Full scope: invite members, rotate keys, change billing entity. |
Rotation is one click in the portal; old tokens revoke at the next request. There is no token expiry-by-default; set one explicitly per token if you want.
Data residency
Region pinning is first-class. Set region at workload / database / bucket creation; data never leaves. The Joule Cloud mesh nodes are distributed across:
| Region tag | Where | Operator(s) |
|---|---|---|
eu-fi | Helsinki, Finland | Hetzner, Nebius |
eu-de | Nuremberg, Germany | Hetzner |
eu-fr | Paris, France | Vultr (CDG) |
eu-uk | London, United Kingdom | Vultr (LHR) |
us-east | Ashburn, VA, USA | Hetzner Ash, Vultr EWR, Latitude |
us-west | Hillsboro, OR, USA | Hetzner Hil |
ap-northeast | Tokyo, Japan | Vultr (NRT) |
ap-southeast | Singapore | Vultr (SGP) |
The portal's residency view shows you exactly which legal entity holds each byte for each workload.
Compliance regimes
| Regime | Status | Evidence we ship |
|---|---|---|
| GDPR | Compliant; EU DPA available | DPA + per-byte residency reporting |
| CSRD / ESRS E1 (Scope 2 cloud emissions) | Production | jc compliance export --format esrs-e1 — auditor-ready |
| EU AI Act Annex XI (energy disclosure) | Production | jc compliance export --format ai-act-annex-xi |
| SOC 2 Type 2 | Audit in flight | Bridge letter on request; full attestation Q4 2026 |
| ISO 27001 | Planned 2027 | — |
| HIPAA | BAA available on request for the US region | BAA + per-workload audit log |
| FedRAMP (Moderate) | Planned via Oracle Cloud partnership | — |
Encryption
- In transit: TLS 1.3 with HSTS and certificate pinning advertised. No insecure-cipher fallbacks. Optional client-side pins are published at
greenjoules.cloud/.well-known/cert-pins.txt; rotations announced 14 days ahead with the next pin alongside the current. - At rest: AES-256-GCM by default on Object Store and JouleDB persistent storage. SSE-C (bring-your-own-key) supported on Object Store.
- Cryptography: ed25519 signing, X25519 key exchange. Hybrid PQ-ready: ML-KEM-768 key exchange in selective deployments (audit available).
Incident response
Security mailbox: [email protected]. PGP key at greenjoules.cloud/.well-known/security.txt. Coordinated disclosure window: 90 days. Bug bounty pilot launching with v1 GA.
Source-availability & audit
The substrate (the Invisible infrastructure that hosts your workloads), the signing layer, and the receipt verifier are source-available at git.openie.sh/openie/invisible-infrastructure. Anyone — you, your auditor, a regulator — can read the code that wrote the bill.