Security

Security

Enterprise-grade security. Transparent practices. Continuous improvement.

Ed25519 Cryptographic Signing

Every proof package is digitally signed with Ed25519 elliptic curve cryptography. This ensures:

  • Tamper-evident: Any modification invalidates the signature
  • Verifiable: Anyone can verify signature authenticity
  • Non-repudiable: Proof of issuance by ProofOS
  • Portable: Works offline, no ProofOS infrastructure required

Algorithm: Ed25519
Key Length: 256 bits
Hash Function: SHA-512
Standard: RFC 8032

AES-256 Encryption

All claim data is encrypted at rest with AES-256-GCM. Each wallet has a unique encryption key.

  • Per-wallet keys: Breach of one wallet doesn't compromise others
  • Zero plain-text PII: Database admins cannot read claim data
  • NIST-approved: NSA Suite B compliant
  • Galois/Counter Mode: Authenticated encryption (integrity + confidentiality)
Security Architecture

Infrastructure

  • ✓ Hosted on Supabase (SOC 2 Type II certified)
  • ✓ Data centers in India (DPDP compliance)
  • ✓ Automated daily backups (encrypted)
  • ✓ DDoS protection via Cloudflare

Application Security

  • ✓ Row-Level Security (RLS) on all database tables
  • ✓ Rate limiting on authentication endpoints
  • ✓ HTTPS/TLS 1.3 encryption in transit
  • ✓ Secure HTTP headers (CSP, HSTS, X-Frame-Options)

Access Control

  • ✓ Passwordless OTP authentication
  • ✓ Session tokens with expiry
  • ✓ Consent-based data sharing
  • ✓ Revocable permissions
Audit & Compliance

Audit Trails

Every action creates an immutable audit log:

  • ✓ Wallet creation
  • ✓ Claim addition
  • ✓ Share link creation
  • ✓ Proof exports
  • ✓ Share revocation
  • ✓ Access attempts (successful + failed)

Compliance Standards

  • ✓ DPDP Act 2023 (India)
  • ✓ ISO 27001 principles
  • ✓ OWASP Top 10 mitigations
  • ✓ NIST Cybersecurity Framework
Responsible Disclosure Program

We welcome security researchers to report vulnerabilities responsibly. We are committed to addressing security issues promptly.

How to Report

  1. 1. Email security findings to: security@proofos.com
  2. 2. Include: vulnerability description, steps to reproduce, impact assessment
  3. 3. Do not publicly disclose until we've addressed the issue
  4. 4. We will acknowledge within 48 hours
  5. 5. We aim to fix critical issues within 7 days

Out of Scope

  • ✗ Social engineering
  • ✗ Denial of service attacks
  • ✗ Physical security
  • ✗ Third-party services

Hall of Fame: We publicly acknowledge researchers who report valid vulnerabilities (with permission).

Incident Response

In the event of a security incident:

  1. 1. Affected users notified within 24 hours
  2. 2. Incident details published on status page
  3. 3. Forensic investigation conducted
  4. 4. Post-mortem report published (within 7 days)
  5. 5. Preventive measures implemented
Security Contact

For security concerns, vulnerability reports, or compliance inquiries:

Email: security@proofos.com

PGP Key: Available on request

Response Time: Within 48 hours

Security Updates & Changelog

We maintain a public security changelog of patches and improvements. Subscribe to security advisories at security@proofos.com.

Privacy Policy | Terms of Service | Contact | Back to Home