Trust Center · English
Security you can verify, limits we state plainly
Fail-closed by principle
If a status cannot be checked, the answer is deny(unavailable) — never a stale allow from cache. The revocation path runs on a separate minimal endpoint and stays up in degraded mode.
Cryptographic discipline
Timing-safe HMAC comparison, proof-of-possession freshness (60 s), nonce-based presentations, signed receipts on every decision. Production path: ES256 with HSM-held keys.
Evidence integrity in the database
Append-only enforced by triggers: updates and deletes are blocked even for admins; every entry binds the previous hash. Validated with 16 database-level tests.
Identity & access
Magic link, Google OAuth, enterprise SAML SSO, TOTP 2FA with an AAL2 gate. API keys per verifier with per-key rate limits and instant revocation.
Data residency & GDPR
EU/Swiss hosting, data export (Art. 20), account deletion with anonymization that preserves the legally required evidence chain.
Honest go-live list
Qualified timestamps (QTSP contract), HSM key custody, multi-region redundancy and EUDI/E-ID wallet connections are architecture-ready but not yet live — stated plainly, with dates, not asterisks.