PUBLIC TRUST CENTER

Trust Center

Security posture, compliance roadmap, and disclosure workflow.

Forneus is pre-institutional, so this page does not pretend mature certifications are already complete. It shows the control architecture, audit path, and evidence plan investors should expect before enterprise and defense-adjacent deployment.

// Trust Posture

Built for diligence, not slogans

The security thesis is local-first execution, hardware-bound identity, post-quantum migration readiness, and auditable workflows across the product portfolio.

01

Local-first data control

VASSAGO, GARM, KAIROS and PHANES are designed to minimize unnecessary cloud exposure. Sensitive documents, credentials and evidence logs should be protected by GARM and role-based access before enterprise pilots.

02

Post-quantum readiness path

NIST finalized its first post-quantum encryption standards in 2024. Forneus treats PQC as a migration roadmap: protocol selection, key lifecycle documentation, and third-party cryptographic review before high-assurance claims.

03

Regulated workflow evidence

NIS2, DORA and the EU AI Act create audit pressure. The portfolio needs evidence trails: user action logs, human-review checkpoints, model-output disclaimers, access controls and retention rules.

04

Defense-adjacent discipline

ELIGOS, MORRA and PAZUZU require staged demonstrations, export/legal review, safety cases and partner-controlled pilots. Public material should support qualified diligence without theatrical secrecy language.

// Compliance Roadmap

Controls investors can underwrite

Certification spend is staged after product-market evidence. The goal is to avoid paying for audits before the right lead products are clear.

Q4 2026$45K-$75K

Security policy baseline, data inventory, access-control model, vendor register, incident-response draft and DPIA templates for VASSAGO/GARM.

Q1 2027$65K-$110K

Penetration-test scope, secure SDLC, secrets management, audit logging, backup/restore procedure and pilot customer security questionnaire pack.

Q2 2027$90K-$150K

ISO 27001 readiness, SOC 2 gap assessment, DORA/NIS2 mapping for finance-critical workflows, and external review of GARM/Auth controls.

Q3-Q4 2027$140K-$260K

Formal audit decision for the product with strongest revenue evidence; defense/export review pack for ELIGOS/MORRA/PAZUZU if grant-funded.

72%
46%
28%
24%
// Evidence Pack

What a fund should request

A professional trust center should guide diligence rather than hide behind broad security claims.

Technical

Architecture documents

Threat model, data-flow diagrams, key-management model, secure SDLC, dependency policy, deployment topology and product-specific risk register.

Commercial

Pilot security pack

Security questionnaire answers, procurement one-pager, privacy summary, incident response contacts, retention policy and model-output human-review disclaimer.

Defense

Controlled disclosure

For defense-adjacent systems, full technical details should move under NDA with qualified investors, grant reviewers or strategic partners only.

Disclosure

Vulnerability workflow

Reports submitted below are routed through the site backend, stored as form submissions and emailed to the admin recipient configured in the backend.

// Founder Trust

Who is accountable

Trust starts with identifiable leadership, public diligence surfaces, and a clear distinction between what is proven today and what must still pass external review.

Leadership

Named founders and public profiles

Oleksandr Lushpihan and Juliia Nuzhnenko are presented through public profile links, role descriptions, and a leadership page that explains what each founder owns. Sensitive co-founder details are reserved for qualified NDA review rather than dramatized on the public site.

Competence

Certificates and course evidence

Founder education artifacts are linked from the leadership page, including cybersecurity, risk management, network security, security policy, AI strategy, communication, and leadership training. These are not substitutes for audits; they support founder diligence.

Recognition

External validation signals

Current public proof points include GARM in the EEC 2026 Top-80 context and PAZUZU's Brave1 / MineSight semi-finalist review context. The page treats them as signals, not revenue or certification claims.

Accountability

No inflated certification claims

Forneus does not claim ISO 27001, SOC 2, defense accreditation, or production-grade certification before those audits are funded, scoped, and completed. The roadmap shows what must happen first.

// Security Program

Controls that should exist before scale

The trust center defines the control set expected before enterprise, financial, or defense-adjacent deployment.

Access

Least privilege and admin isolation

Administrative surfaces require bearer-token authentication, protected backend routes, rate limits, and separation from public content. Future production hardening should add MFA, role-based admin accounts, rotation policy, and audit trails.

Data

Privacy-aware analytics

Site analytics use session identifiers, page paths, device type, referrer, coarse location, and engagement duration. Coordinates collected through the weather widget should be rounded and used for city/country analytics rather than invasive user profiling.

Engineering

Secure SDLC baseline

Before commercial scale, every product should maintain dependency review, secret handling, branch/release discipline, vulnerability triage, reproducible deployments, backup/restore tests, and documented rollback procedures.

AI

Human-reviewed AI outputs

Legal, finance, security, and defense-adjacent workflows require user-visible limitations, human review checkpoints, evidence logging, model-risk notes, and clear ownership of final decisions.

// Diligence Library

What Forneus should be ready to provide

A real trust center helps investors, partners, and researchers know exactly what evidence to request.

CompanyIdentity pack

Company registration summary, founder IDs under appropriate process, ownership/cap table summary, public channels, and contact authority.

ProductArchitecture pack

Data-flow diagrams, deployment topology, threat model, dependency list, model-risk notes, and product-specific roadmap.

SecurityControls pack

Access policy, incident response, vulnerability disclosure workflow, backup/restore procedure, logging plan, retention rules, and third-party review scope.

CommercialPilot pack

Design partner criteria, pilot terms, evaluation metrics, pricing assumptions, support boundaries, and procurement questionnaire answers.

DefenseControlled pack

For ELIGOS, MORRA, and PAZUZU: safety case, export/legal screening, field-test boundaries, partner qualification, and NDA-controlled technical disclosures.

// Transparency

Current status, plainly stated

The professional trust position is ambitious but honest: strong founder execution and proof assets, with formal certifications still ahead.

Strong
Growing
Baseline
Planned
Planned

Vulnerability Disclosure

Security researchers can submit reproducible findings. Forneus is not advertising a paid bounty pool yet; severity, impact and response path are reviewed case by case.