> ## Documentation Index
> Fetch the complete documentation index at: https://docs.predicate.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Security

> How Predicate secures enforcement infrastructure

## Security model

Predicate enforces compliance through a scoped onchain freeze/block role which can be revoked it in a single transaction and is typically granted by the contract's admin role. This page covers the controls around the corresponding signer key and the guarantees on enforcement delivery.

<Note>
  Security and engineering teams evaluating Predicate can request additional detail under NDA — covering key management, runtime hardening, and our threat model. The following is meant to be a high-level overview.
</Note>

## Onchain authorization

The following is based off the freeze/block interfaces we recommend implementing.

* **Scope.** Predicate never holds asset-admin keys. Enforcement runs through the role you grant — `FREEZE_MANAGER_ROLE` on EVM, `blocker` on Stellar.
* **Bounded authority.** The role authorizes only freeze/unfreeze and block/unblock. It cannot mint, burn, transfer, upgrade, or reassign roles.
* **Revocation.** Authorization is revocable in a single transaction and verifiable on your own contract.

## Key management

* **Multi-factor protection.** Signing keys are protected by multiple independent factors; no single operator can produce a signature.
* **No human access.** Keys are never exposed to human operators in the course of operations.

## Infrastructure and access

* **Isolation.** Signing is isolated from application services behind independent controls; no single compromised component can produce a signed transaction.
* **Least privilege.** Production access is scoped, logged, periodically reviewed, and revoked on offboarding.
* **Release process.** Changes are peer-reviewed and built by CI, not developer machines. Production deploys require explicit human approval; no individual can deploy to production unilaterally.
* **External assessment.** Security posture is validated through ongoing internal review and independent third-party assessment.

## Delivery and availability

* **Retry.** Enforcement actions are retried automatically on failure; contracts that persistently fail are surfaced and acted on.
* **Redundant endpoints.** Multiple RPC endpoints maintain enforcement through provider outages.
* **Failover.** The signing service is designed to survive infrastructure failure with tested failover.

## Audit trail

Every enforcement action is recorded — source, wallet, transaction hash, and outcome — as an append-only log retained for regulatory or law enforcement review and surfaced in the dashboard.
