# Security FAQ

## Is Nexmoot a certification?

No. Nexmoot produces evidence-backed readiness decisions, Evidence Packets, Trust Passports, policy artifacts, and limitations. It does not certify unrestricted safety and does not provide SOC 2, ISO 27001, PCI, HIPAA, FedRAMP, GDPR, or other external certification.

## Does Nexmoot replace IAM, CI, OPA, SIEM, reverse proxy, or runtime gateway controls?

No. Nexmoot gives the customer evidence and recommendations. The customer remains responsible for final enforcement in IAM, CI, OPA, SIEM, reverse proxy, runtime gateway, and legal or compliance processes.

## Where does runtime state live?

The current product is single-tenant and self-hosted. Runtime state lives in the customer-controlled data directory, backed by the local SQLite product database. Evidence, signing keys, license state, audit events, and backups remain inside the self-hosted boundary.

## What secret material must not be archived?

Do not archive backup keys, proxy shared secrets, SIEM bearer tokens, compact offline license JWS values, private signing material, customer credentials, or unredacted secret-like assessment content in shared handoff folders.

## What does strict doctor prove?

Strict doctor verifies local production readiness checks such as installed runtime dependencies, writable data directory, migration inventory, backup-key readiness, trusted-proxy secret readiness when proxy auth is enabled, and offline license validation. It does not prove that the customer's IAM, SIEM, reverse proxy, backup storage, or legal process is configured correctly.

## What does production smoke prove?

Production smoke verifies strict doctor readiness, offline license status, `/api/admin/health`, and release manifest readiness against a launched service. It is a release and runtime evidence check, not an external audit opinion.

## What happens if the assessment returns `no-go`?

The customer should not grant the requested authority. The denial record and Evidence Packet should be reviewed, the underlying issues should be remediated, and a fresh assessment should be run before access is reconsidered.

## What happens if the assessment returns `limited-go`?

The customer may grant only the narrower authority described by the recommendations and restrictions. Enforcement still belongs in customer-owned IAM, CI, OPA, SIEM, reverse proxy, or runtime gateway controls.

## When should a Trust Passport be reassessed?

Reassess when the model, prompt, tool permissions, runtime, protected paths, or secret-surface boundaries differ from the passport evidence baseline. A Trust Passport is scoped to observed evidence, expiry, audience, restrictions, and status.

## Can Nexmoot run without a Nexmoot human in the customer process?

Yes. The current self-service path is designed so the customer can configure inputs, submit the assessment, receive the automated decision, and download results without Nexmoot human participation in customer scoping, review, handoff, or delivery.