Security
Statement

Security is central to our architecture. Here are the controls we use to protect your data.

Security architecture

Our platform is built with defensive controls across all layers:

→

Ephemeral data processing

Identity documents are processed in-memory and then deleted

→

TLS 1.3 encryption

All client/server communications use TLS 1.3

→

End-to-end encryption

Sensitive payloads are encrypted with AES-256-GCM

→

Zero PII retention

No personally identifiable information is persistently stored

→

Content security policy

Strict CSP to prevent XSS and code injection

→

Environment isolation

Strict separation across dev, test, and production

Instead of storing personal data, we generate zero-knowledge commitments (Poseidon) proving attributes without revealing underlying information.

If you discover a vulnerability, please report it responsibly.

We respond within 48 hours and remediate critical vulnerabilities within 7 days.

Our infrastructure aligns with international security standards:

For security inquiries or vulnerability reporting:

Last updated: December 2025