Data Sovereignty. Cryptographic Proof. Zero Trust.

Stop Surrendering Data.
Start Owning Boundaries.

Every SaaS platform trusted with organizational data is a liability waiting to detonate. Baur Software built pap://, Papillon, and Chrysalis to put cryptographic sovereignty back in the hands of principals - not vendors.

Book a Strategy Session
The Cost of Assumed Trust

The Next Breach Is Already Scheduled

The following are not hypothetical scenarios. They are documented, recent, catastrophic failures of the exact security model most organizations are still relying on today.

These breaches happened in 2026. They were not caused by exotic zero-day exploits. They were caused by centralized data ownership, implicit trust, and the absence of cryptographic identity enforcement - the precise vulnerabilities pap:// is engineered to eliminate.

275M+

The Canvas LMS Catastrophe

In May 2026, the ShinyHunters group breached Instructure's Canvas platform - the LMS used by 41% of all U.S. higher education institutions - stealing over 275 million records including student IDs, private messages, and course data across 9,000+ schools worldwide. Finals were cancelled. Class-action lawsuits followed immediately.

Source: Wikipedia / Fisher Phillips, May 2026
1,000s

The GitHub Repository Breach

In May 2026, attackers compromised a widely-used coding tool to infiltrate and steal data from thousands of GitHub's internal repositories. If the world's most prominent code-hosting platform cannot secure its internal boundaries, proprietary intellectual property is actively at risk on any centralized platform.

Source: TechCrunch / CyberSecurity Dive, May 2026
364+

Healthcare Hacking Incidents in 2025

As of October 2025, the U.S. Department of Health and Human Services had already recorded 364 hacking incidents against healthcare organizations. PHI records, patient histories, and billing data - all surrendered to platforms that were never designed to enforce cryptographic identity at the agent layer.

Source: American Hospital Association, Oct 2025
Built For Every Critical Sector

Every Industry Has Unique Risks. pap:// Has Specific Answers.

Baur Software's team has worked directly inside these industries. We did not build a generic security tool and retrofit it. We built pap://, Papillon, and Chrysalis from the ground up with the compliance requirements, threat models, and operational realities of each sector in mind.

Sector The Risk You Are Living With The pap:// Sovereign Solution
🎓Education Centralized LMS platforms store millions of student records, private messages, and IDs in high-value, single-point-of-failure databases - as Canvas proved catastrophically in 2026. Cryptographic SD-JWT selective disclosure ensures agents access only the exact data fields their mandate permits. No centralized PII aggregation. No ransom leverage.
⚖️Law / Legal Uploading privileged case files, trade secrets, and client communications to external AI platforms destroys attorney-client privilege and creates catastrophic discovery liability. Papillon's OS-level sandboxed execution means case data never leaves your secure boundary. Cryptographic receipts prove what was accessed and by whom.
⚕️Health Care Autonomous medical billing and scheduling agents routinely access full patient records when they need only a single field - a HIPAA violation waiting to be audited. Mandate-scoped permissions limit agent visibility to specific PHI properties. Immutable co-signed audit logs provide cryptographic HIPAA compliance proof on demand.
🎖️Military Supply-chain compromises and air-gapped leaks occur when autonomous logistics or intelligence agents operate without cryptographic identity enforcement across fragmented networks. Fully on-premises, air-gapped Chrysalis deployment. Every agent action produces a cryptographic receipt. CMMC and DoD architecture requirements met by design.
🏢Private Sector Corporate IP theft through rogue AI agents, compromised browser extensions, and unmonitored automation scripts accessing internal wikis, codebases, and financial systems. Seccomp and pledge-level OS sandbox constraints prevent compromised agents from spawning subprocesses, accessing the filesystem, or exfiltrating IP - even if fully compromised.
🏛️Government FedRAMP and CMMC compliance failures when AI agents operate across shared agency databases with assumed identity and no immutable audit trail. Multi-tenant zero-trust architecture with immutable, cryptographically signed audit trails for every delegation step. FedRAMP, CMMC, and DoD-ready by architecture.
🔒Private Use Personal identity theft, financial credential leaks, and the silent surrender of digital sovereignty to monopolistic tech platforms that monetize your behavioral data. Self-sovereign, device-bound keypairs with ephemeral session DIDs per transaction. No central registry. No token economy. Data stays on the principal's machine.
Take the pap:// Assessment →
The Baur Software Suite

Three Products. One Unified Trust Architecture.

Baur Software engineered pap://, Papillon, and Chrysalis as a cohesive, interlocking system. Each product solves a distinct layer of the trust problem. Together, they seal the entire stack.

pap:// - The Request Boundary

Principal Agent Protocol

A cryptographic open standard that governs what agents are permitted to see. A principal signs a mandate specifying the action, the disclosure scope, and the TTL. SD-JWT selective disclosure ensures agents receive only the exact data properties their mandate permits - nothing more. A child request can never exceed its parent's scope. Cryptographically enforced. Always.

WebAuthn / FIDO2 W3C DIDs SD-JWTs Zero Trust
Papillon - The Execution Boundary

Sandboxed Agent Workspace

A secure, multi-agent desktop canvas where every agent executes in OS-level isolation. Enforced capability constraints (seccomp, pledge, entitlements) prevent network access, filesystem escapes, and subprocess spawning - even if an agent is fully compromised. Every execution produces a cryptographic receipt proving exactly what constraints were applied.

OS-Level Sandbox Seccomp / Pledge Crypto Receipts Desktop App
Chrysalis - The Agent Registry

Federated Agent Identity

A self-hostable, federated agent registry where agents register with verifiable DIDs and Ed25519-signed advertisements. pap:// mandates are verified before any execution. Per-agent sandbox enforcement with cryptographic attestation. No gatekeeper. No vendor lock-in. Self-hosted registry, on principal's infrastructure.

Verifiable DIDs Ed25519 Self-Hostable Federated
How We Work

We Do Not Hand You a Spec Sheet. We Build It With You.

Most security strategies look strong in architecture diagrams and fail the moment they meet legacy systems and real operational pressure. Baur Software's human-AI engineering team works directly inside client environments to close that gap.

01

Analyze

We audit existing infrastructure, data flows, agent permissions, and identity architecture to map every hidden vulnerability and implicit trust gap - the ones current tools cannot see.

02

Strategize

We design a custom, zero-trust delegation model tailored specifically to the sector's regulatory requirements, operational constraints, and threat landscape. No generic playbooks.

03

Implement

We deploy pap://, Papillon, and Chrysalis directly into production environments - integrating seamlessly with legacy stacks without operational downtime or forced migration.

The Decision Point

Do Not Wait for the Next Audit
to Become an Inquest.

Canvas waited. GitHub waited. 364 healthcare organizations waited. Every one of them paid a price that dwarfs the cost of a single strategy session.

Book a Sovereign Strategy Session

Speak directly with the Baur Software founders. We will analyze current exposure, identify highest-risk trust boundaries, and outline a concrete implementation roadmap for pap://, Papillon, and Chrysalis in the environment.

Schedule My Strategy Session →