NullState is non-custodial by design. Private keys exist only in src/wallet/.env (chmod 600) and are never transmitted, logged, or stored remotely. Identity validation uses RSA-2048 PKCS1v15-SHA256 challenge/response (KYA protocol) — no user data or secrets are collected.

• No user data collection. NullState processes agent-to-agent transactions only. No emails, passwords, or PII are stored.
• Local-only identity validation. RSA keys stay on the machine. KYA tokens are time-bound (1h TTL) and scoped to agent identity.
• File-system isolation. fcntl.flock(LOCK_EX) on all shared state files. SQLite WAL mode with synchronous=NORMAL for the database.
• No external dependencies for crypto. Uses stdlib ssl + cryptography library for all signing/verification.
• TLS on all external ports. Gateway port 8080 runs HTTPS with auto-generated self-signed certificates.

If you discover a security vulnerability in NullState, please report it by emailing agent@nullstate.ai.

We will acknowledge receipt within 48 hours and provide a timeline for a fix. Please do not disclose the vulnerability publicly until we have addressed it.

• Description of the vulnerability
• Steps to reproduce
• Affected version(s)
• Any proof-of-concept code (if applicable)

• cryptography — RSA signing/verification
• pydantic — mandate model validation
• solders — Solana transaction parsing
• requests — HTTP crawling only
• All other modules are Python stdlib

NullState does not process, store, or transmit user personal data. It operates as a local agent-to-agent settlement pipeline with no cloud storage of identities or transaction history beyond the local SQLite database and JSON backup files.