BaseCite Security Portal
Security controls protect customer-submitted/unverified data with private encrypted storage, rate limits, audit events, no raw public download, and no bulk export. External KMS/HSM, WORM, SOC 2, and legal approval remain external evidence gates.
Protected upload API
POST /api/v1/organizations/{org_id}/customer-uploads
{ "filename": "profile.txt", "visibility": "ai_readable_controlled", "payload": "...", "uploader_organization_type": "customer", "uploader_organization_id": "customer-org", "asserted_subject_org_id": "customer-org", "consent": { "accepted": true, "beta_agreement_version": "controlled-launch-2026-06-19", "ai_readable_use_consent_version": "ai-readable-use-2026-06-19", "text_hash_sha256": "...", "consenting_user_id": "customer-user-id", "consenting_user_email": "customer@example.com", "accepted_at": "2026-06-19T00:00:00.000Z" } }Workspace and credentials
Boundaries
- Upload acceptance is not truth verification.
- OriginCairn review is optional later reference only, not an upload prerequisite.
- No raw file public download, all-customer list, database dump, embeddings export, or bulk export.
- AI/MCP access is per-record, API-key controlled, rate-limited, audited, and canary-marked.