[ honesty page ]
What EEI doesn't do.
Every credible primitive has a perimeter. Here is ours.
No cross-customer reputation graph.
EEI does not pool device or user reputation across operators. Each operator's evidence is sovereign to that operator's deployment. Cross-operator reputation services exist (BioCatch, ThreatMetrix class) — that is not what EEI is.
No on-device enforcement.
EEI signs what happened. It does not block, freeze, or refuse on the device. Enforcement is the operator's policy engine reading EEI evidence — at the verifier, in the backend, in the auth flow. The substrate testifies; the operator decides.
No web surfaces.
EEI is a device-side substrate for mobile, POS, SoftPOS, and SST. Web sessions, browser-based payments, and pure server-to-server flows are out of scope. Where a customer journey touches both web and mobile, EEI covers the mobile leg only.
PCI / SOC 2 / ISO 27001 / scheme certifications are out-of-scope-by-design.
EEI is a substrate that operators integrate into their own certified environments; certifications attach to operators, not to the substrate.
Each of the four boundaries is structural, not a roadmap item. Reputation stays sovereign. Enforcement stays with the operator. Surfaces stay device-side. Certifications stay with the environments that integrate the substrate. The shape is the commitment.
Ask about scope