Security & Compliance

FieldLock Runtime Stability Infrastructure

Does FieldLock access model internals?

No.

FieldLock does not access:

  • model weights

  • gradients

  • hidden states

  • internal activations

  • training data

FieldLock operates exclusively on output-level telemetry generated during inference.

Does FieldLock require access to training data?

No.

FieldLock does not ingest, inspect, or store training data of any kind.

Does FieldLock retain prompts or generated content?

By default, no.

FieldLock does not retain prompts or outputs unless explicitly configured to do so under a governed data policy.

Retention, redaction, and storage rules are configurable per deployment and can be aligned with internal data governance requirements.

Does FieldLock modify model behavior?

No, not during measurement.

FieldLock operates in read-only / observe-only mode by default.

Any discussion of stabilization or enforcement occurs only after:

  • a Validation Pilot

  • explicit customer approval

  • and clearly defined governance constraints

Measurement always precedes intervention.

Can FieldLock be deployed in regulated environments?

Yes.

FieldLock is designed for environments with strict regulatory, security, and compliance requirements, including:

  • financial services

  • healthcare and life sciences

  • government and defense

  • critical enterprise systems

Deployment can be isolated within:

  • private VPCs

  • on-prem environments

  • air-gapped or restricted networks

Does FieldLock expose model IP or proprietary logic?

No.

Because FieldLock does not access model internals, it does not expose:

  • proprietary model parameters

  • architecture details

  • vendor-specific inference logic

This makes FieldLock compatible with both closed-source and open-source model providers.

Is FieldLock compatible with vendor confidentiality agreements?

Yes.

FieldLock’s output-only integration avoids inspection of protected model internals, enabling deployment without violating model provider terms or confidentiality agreements.

How does FieldLock integrate with existing security controls?

FieldLock integrates as a non-invasive observability layer, similar in posture to logging or monitoring tools.

It does not require:

  • changes to inference runtimes

  • changes to prompt logic

  • changes to application orchestration

All access is scoped, auditable, and governed.

What data does FieldLock actually ingest?

FieldLock ingests output-level telemetry only, such as:

  • token sequences or output chunks

  • timing and sequencing metadata

  • turn and session boundaries

  • tool-call structure (if present)

No semantic labeling, classification, or interpretation of content meaning is required.

Is data encrypted in transit and at rest?

Yes.

FieldLock supports:

  • encrypted transport (TLS)

  • encrypted storage where retention is enabled

Deployment configurations can align with existing enterprise encryption and key-management standards.

Does FieldLock support audit and compliance workflows?

Yes.

FieldLock produces structured, exportable artifacts designed for:

  • internal audits

  • risk and compliance reviews

  • regulatory inquiries

  • board and executive reporting

These artifacts describe runtime stability behavior, not model content.

Does FieldLock store personally identifiable information (PII)?

Not by default.

FieldLock does not require PII for operation.

Where outputs may contain sensitive data, deployments can be configured with:

  • redaction

  • hashing

  • anonymization

  • zero-retention policies

to meet internal privacy standards.

Can FieldLock be disabled or removed safely?

Yes.

FieldLock can be:

  • enabled

  • disabled

  • or removed

without disrupting model serving or application logic.

It does not introduce hard dependencies into the inference stack.

How does FieldLock differ from AI safety filters or content moderation?

FieldLock does not evaluate what content is generated.

It evaluates how behavior evolves over time.

It complements safety and moderation tools by addressing a different class of risk: runtime instability.

What is the security posture during a Validation Pilot?

During a Validation Pilot:

  • FieldLock operates in observe-only mode

  • scope and data sharing are explicitly governed

  • no behavior modification occurs

  • all access boundaries are agreed in advance

The pilot produces evidence, not changes.

Who controls data governance and access?

The customer does.

All deployments operate under:

  • customer-defined data boundaries

  • customer-approved retention rules

  • explicit access controls

SubstrateX does not require standing access beyond the agreed engagement scope.

Is FieldLock compliant with SOC 2 / enterprise security standards?

FieldLock is architected to support SOC 2–aligned controls, including:

  • access logging

  • separation of duties

  • controlled data handling

  • audit-ready artifacts

Specific compliance mappings are available during procurement or security review.

Why is output-only integration considered safer?

Output-only integration:

  • minimizes attack surface

  • avoids exposure of proprietary internals

  • simplifies compliance review

  • reduces long-term maintenance risk

It is the most conservative integration posture available for runtime monitoring.

Who should review FieldLock from a security perspective?

Typical reviewers include:

  • Security architecture teams

  • Privacy and data governance leads

  • Compliance and risk officers

  • Procurement and legal teams

SubstrateX supports structured security reviews as part of Validation Pilots and deployment planning.

How can we initiate a security or compliance review?

To begin a security-focused discussion:

➡️ Request a Validation Pilot
➡️ Speak with the Founding Team

We will work within your security, privacy, and compliance frameworks from the first interaction.

Closing Note

FieldLock is designed to make runtime stability measurable without introducing new security risk.

It integrates like observability — not like control.