HomeVisionPrinciplesGet StartedGitHub

Safety Policy

When we pause. Why we pause. What we haven't received.

Last Updated: December 15, 2025

Our Principle

Fix if we can. Pause only if we can't.

Pausing CIRIS services is a last resort, not a first response. If we discover a problem, we fix it. We only pause when the issue is irremediable — when continued operation would cause harm we cannot prevent any other way.

Warrant Canary

All Clear

As of December 15, 2025, CIRIS L3C and its operators affirm:

  • We have not received any National Security Letters (NSLs)
  • We have not received any orders under the Foreign Intelligence Surveillance Act (FISA)
  • We have not been subject to any gag order preventing disclosure of government requests
  • We have not placed any backdoors in our software or been asked to do so
  • We have not provided any user data to government agencies
  • We have not been compelled to modify CIRIS to weaken its ethical constraints

This canary is updated with each release or at minimum every 90 days. If this statement disappears or is not updated, assume the worst.

Verification

A cryptographically signed version of this canary is available at /canary. Verify against the public key in the CIRISAgent repository.

Global Pause Triggers

These conditions would pause all CIRIS services worldwide:

Security Vulnerability

A discovered vulnerability that cannot be patched immediately and poses active risk to users. We fix vulnerabilities when we can. We pause only when continued operation would expose users to harm we cannot mitigate.

Irremediable Harm

Evidence that CIRIS is causing harm that cannot be stopped through patches, configuration changes, or other remediation. The harm must be ongoing, attributable to CIRIS, and unfixable without full shutdown.

Core Ethical Violation

Discovery that CIRIS is fundamentally violating its Covenant principles in a way that cannot be corrected without architectural changes. The system must be taken offline until the violation is addressed at its root.

Region-Specific Triggers

These conditions may pause services in specific regions while others continue operating:

US Region (Chicago)

  • Legal compulsion — Court order, warrant, or subpoena requiring action incompatible with our commitments
  • Provider termination — Vultr service unavailable or terminated
  • Compliance failure — Inability to meet US regulatory requirements

If US region pauses, EU region continues serving users where possible.

EU Region (Germany)

  • Legal compulsion — EU/German court order or regulatory action incompatible with our commitments
  • Provider termination — Hetzner service unavailable or terminated
  • GDPR/EU AI Act failure — Inability to meet EU regulatory requirements

If EU region pauses, US region continues serving users where possible.

Response Process

1

Assess

Determine if the issue is remediable. Can we fix it? Can we mitigate it? Most issues can be resolved without pausing services.

2

Remediate

If fixable, we fix it. Patches, configuration changes, provider switches — whatever resolves the issue while maintaining service.

3

Pause (if necessary)

Only if the issue cannot be remediated do we pause the affected services. Pause is immediate. Status page reflects the outage.

4

Communicate

Update the status page. If legally permitted, explain why. If not permitted to explain, the warrant canary will reflect the change.

5

Resolve

Work to resolve the underlying issue. Resume service only when the trigger condition is fully addressed. Document the incident publicly when possible.

Zero Data Retention

Your conversations are never stored. CIRISProxy processes requests in real-time and deletes all conversation content immediately after response delivery. We cannot retrieve, replay, or analyze your conversations because we do not retain them.

Operational Metadata We Collect

For debugging and abuse prevention, we collect minimal operational metadata. This data is anonymized by design and cannot be linked to you or your conversations:

FieldValueWhy Safe
interaction_idSHA256 hash (truncated)Irreversible, no PII
request_idRandom UUIDRandom, not linked to user
retry_countInteger (0, 1, 2...)Just a number
error_category"TIMEOUT", "RATE_LIMIT"Category only, no content

What we explicitly do NOT collect: User messages, AI responses, email addresses, names, IP addresses, conversation history, or any content that could identify you or reconstruct your interactions.

Transparency Commitment

  • This policy and the warrant canary are updated at minimum every 90 days
  • All code is open source — you can verify our claims against the implementation
  • The status page reflects real-time service state
  • If we cannot explain a pause, the silence itself is the explanation
  • We will challenge legal requests we believe are unlawful or unconstitutional
View Current StatusSigned Canary

CIRIS - Ethical AI by Design

© 2025 Eric Moore and CIRIS L3C | AGPL-3.0 License