Isolated execution. Deterministic integrity. Minimal retention. NexArt's security architecture is designed around three principles: every execution runs in an isolated sandbox, deterministic integrity ensures identical inputs produce identical outputs, and minimal retention means execution payloads are not persisted beyond what is required for verification.
NexArt is execution integrity infrastructure, not a data warehouse. The security model is built around producing evidence that anyone can independently verify, without trusting NexArt to retain or reveal the underlying payload.
Every execution runs in an ephemeral, sandboxed environment with no network access, no filesystem persistence, and no shared state between executions. This applies both to Code Mode runtime and to attestation node verification work.
Determinism is not just a feature, it is a security guarantee. Identical inputs always produce identical certificate hashes, enabling independent verification without trusting the original operator or NexArt.
NexArt stores certification metadata and the canonical CER bundle required for verification. Raw execution payloads from integrating systems are the customer's responsibility. See the CER Retention Policy for retention windows and lifecycle states.
API key authentication with hashed credentials at rest. Account-level quota enforcement. No shared API key pools. Keys can be rotated and revoked from the developer console without affecting outstanding records.
Every certified record can be independently verified at verify.nexart.io with no account, no API key, and no dependency on NexArt being online. Verification recomputes the SHA-256 certificate hash and checks the Ed25519 attestation signature against the issuing node's public key.
NexArt explicitly models threats including record tampering, execution replay attacks, key compromise, node impersonation, and downstream payload manipulation. The integrity guarantee is bound to the certificate hash returned by the attestation node and is not recomputed or overridden by storage.
The architecture is designed to support evidence requirements under ISO/IEC 42001, SOC 2 Trust Service Criteria, NIST AI RMF, and EU AI Act high-risk obligations.
NexArt does not validate semantic correctness, score outputs, or guarantee that an AI decision is right. Verification proves integrity of the recorded execution, not correctness of the underlying judgment.
Protocol Overview · Standards Alignment · CER Retention Policy · Non-Goals