Velaris GroupStrix
Data Module

Irreversible operations
require irreversible accountability.

Bulk deletes and exports look the same from the inside whether they are legitimate or malicious. Strix intercepts them before they run and requires a signed, approved decision — regardless of who is asking.

Request AccessSee Live Evidence

Governed operations

Every irreversible operation. Every time.

Bulk delete

CRITICAL

Scope: Records, documents, user data

Why it matters

Deletion is irreversible. Ransomware, wiper malware, and angry insiders all reach for the delete button.

Enforcement

Requires quorum approval. Signed artifact per approval. Action blocked until token issued.

Export / download

CRITICAL

Scope: Customer lists, PII dumps, full table exports

Why it matters

Data exfiltration looks identical to a legitimate export until the breach is discovered weeks later.

Enforcement

Requires approval for >1,000 records. Scope bound to payload — cannot expand post-approval.

Purge audit logs

CRITICAL

Scope: Governance logs, access records, evidence chain

Why it matters

The first thing a sophisticated attacker does after exfiltrating data is destroy the evidence.

Enforcement

Blocked unconditionally. No approval path. Chain integrity alerts on any gap.

Archive / soft-delete

HIGH

Scope: Workspaces, projects, accounts

Why it matters

Soft deletes can be restored, but the scope of what gets archived is often broader than intended.

Enforcement

Intercepted, logged, approval required for bulk operations.

Schema / config change

HIGH

Scope: Field mappings, data retention policies, column drops

Why it matters

Structural changes can silently corrupt or eliminate data without a single row being deleted.

Enforcement

Decision record created. Policy evaluates blast radius before execution token is issued.

Scope binding

Approval for 1,000 records cannot delete 1,000,001.

Execution tokens bind approval to the exact payload hash — the specific record IDs, the specific export filter, the specific operation. A token approved for one scope cannot be redeemed against a broader one. Scope expansion requires a new decision and a new approval cycle.

// Token validation at redemption
approved_scope:
"records[1..1000]"
attempted_scope:
"records[1..2500]"
→ Payload hash mismatch
→ Token: INVALID
→ Action: blocked
🔗

Chain continuity

Each evidence record links to the previous record's hash. A gap in the chain — from deletion, truncation, or tampering — is detectable by any external verifier.

✍️

Ed25519 signatures

Every evidence record is signed with an Ed25519 key whose public counterpart is published at /.well-known/strix-jwks.json. Signatures cannot be forged without the private key.

🛡️

RLS isolation

PostgreSQL row-level security enforces tenant isolation at the database layer. Even a compromised application session cannot read or modify another tenant's evidence.

More modules

Secrets

Zero-knowledge vault

Access

Role escalation control

Financial

Payment approval flows

Agent

Autonomous AI governance

See a bulk delete get intercepted.

In the demo, we attempt to delete 5,000 records and watch Strix intercept the call, create a decision record, and require quorum approval — before a single row is touched.

Book a DemoView Live Proof →