Kolm's trust boundary is a property of the file format, not a marketing line. Receipts are HMAC-bound. Artifacts are signed. The user's data never leaves the device.
The cloud sees what the developer authored. The device reads what only the user can. Two halves, never confused.
Never the user's email, photos, journal, health, finance, or private documents.
The artifact is signed, sandboxed, and offline. Cloud cannot reach in. Device does not phone out.
Kolm's cloud sees your app's task spec, seed examples, evals, and target devices. The user's private data is only read by the on-device runtime.
We assume the attacker has full root on the device, full network observation, and a copy of every signed artifact ever published. The contract still holds.
Receipts are an HMAC-SHA256 chain over (artifact_hash || eval_set_hash || eval_score || judge_id). The chain key derives via HKDF-SHA256 from the signing identity. Without that identity, the chain cannot be re-formed.
If a single byte changes in the artifact, the eval set, the score field, or the judge ID, verification breaks. There is no soft failure mode. Either the chain is valid, or it is not.
A receipt does not just hash the artifact. It binds (artifact_hash, eval_set_hash, eval_score, judge_id) as a single message and chains them under HMAC-SHA256, with the chain key derived via HKDF-SHA256 from the signing identity.
If your auditor asks "how was this model tested", the answer lives inside the file. The score is bound to the exact eval set that produced it, on the exact judge that scored it, on the exact artifact you shipped.
Receipts are public, deterministic, and verifiable offline. The reference verifier is ~30 lines of Go and ships MIT under RS-1-receipts. Read the algorithm ›
In flight: SOC 2 Type I, target Q4 2026. SOC 2 Type II target Q2 2027. BAA and DPA available on request for paid plans.
Type I report targeted Q4 2026. Type II window opens immediately after.
in flightCompile is opt-in pass-through. Personalize never sees PHI.
on requestReceipts are the exact artifact disclosure the EU AI Act asks for.
on requestA running log of the boring, load-bearing security work. Dated, specific, verifiable in the open codebase. We publish what we land, not what we plan.
N=2^15, r=8, p=1.unsafe-eval removed. All inline eval paths excised; recipe execution sandboxed in a Worker with explicit message contract.SameSite=Strict, HttpOnly, Secure on all session cookies. localStorage retained as opt-in dev mode.SOC 2 Type I auditor selection underway. We will name the firm publicly the day we sign — not before.
A complete list of vendors that may process customer data, scoped to the listed purpose only.
We notify customers 30 days before adding a new sub-processor that touches personal data.
If you found something, write to us. We acknowledge within 48 hours and aim for a 90-day public disclosure window after a fix ships.
Scope. kolm.ai, the cloud compile API, the public registry, the iOS, Android, and Web SDKs, and the .kolm format itself.
Out of scope. Customer-published artifacts (those are the customer's). Findings against test infrastructure (status.kolm.ai). Social engineering of staff.
Safe harbor. We will not pursue legal action for good-faith research that respects user data and gives us reasonable time to respond.
The contract is in the open. MIT-licensed, versioned, signed. No vendor lock by construction.
The HMAC chain, the bound fields, the verifier algorithm.
Read RS-1 ›Typed nodes, typed edges. No JIT, no eval, no dynamic class loaders.
Read manifest ›JSON, deterministic, embeddable in CI, embeddable in the artifact.
Read receipts ›Every kolm SDK ships through the platform's first-party signing chain. No sideloaded code. No JIT.
Native runtime parses a typed manifest. No eval(), no new Function(), no downloaded executable code. App Review 2.5.2 safe by construction.
Native AAR signed and Integrity-attested at runtime. Manifest parser does not call any reflection or class loaders.
SDK bundles ship with SRI hashes. WebGPU and WASM only. No remote JS evaluation.
CLI binaries are reproducible from the public source tree. Hashes published with each release.