Known trade-offs and acknowledged compromises. We ship honestly — no marketing claims without evidence.
We mark every security claim internally as either [T] (verified, with source) or [A] (assumed, not yet independently verified). This page surfaces the [A] claims that affect you as a user.
The five core security invariants of Ankayma's server infrastructure (data/control plane separation, append-only audit ledger, namespace isolation, per-product-line infra, air-gapped key ceremony) have been validated by our own internal test harness with owner sign-off.
What this means for you: These invariants have not yet been audited by an independent third party. Server-side claims are currently [A] owner-accepted, not [T] externally verified. We plan to engage an independent auditor after launch when we have production traffic to show.
The agent running on your machine is fully open source at github.com/ankayma/open-client. Client-side invariants (agent does not touch control-plane traffic, data plane separation) are validated via our open test harness and are [T] for the open-source agent.
F0 signup is gated by GitHub account age (≥90 days), repository count (≥1), and PhishTank check. There is no machine-learning behavior baseline. A sophisticated attacker with aged GitHub accounts can create multiple F0 tenants. We acknowledge this and will revisit if abuse materializes.
Personal tier (F0, F0-Plus, F1 Starter) uses a SingleCustodian root key — one air-gapped machine, BIP39 mnemonic backup. This is not Shamir secret sharing. The tradeoff: simpler operations, less resilience than the enterprise tier's 2-of-3 Shamir ceremony. Enterprise tier (F1 Growth+) uses Shamir — available in Phase 2.
Personal tier does not require hardware security keys (YubiKey/Passkey) for authentication. Enterprise F2 Growth+ mandates hardware-backed AAL3. If hardware keys are a hard requirement for you today, Personal tier is not the right fit.
We have not mapped Ankayma's controls to POJK 38/2016, NCA ECC-1:2018, UAE CB guidelines, SOC2, or ISO 27001. These are on our roadmap for the enterprise tier (Phase 2+). Do not cite Ankayma as satisfying any compliance framework without your own legal review.
Latency, memory footprint, and throughput targets listed in our architecture documents are design goals ([A]), not measured benchmarks. We will publish real numbers after load testing.
Last updated: June 2026. Questions? hello@ankayma.com