Security at Proof of You

Trust is built on transparency. Here is how we protect your data.

Our Security Architecture

🔒

Zero-Knowledge Design

We never see your biometric data. Everything is processed on your device. Only a one-way hash reaches our servers - and that hash is mathematically irreversible.

🔐

Encrypted at Rest and in Transit

All data encrypted with AES-256 at rest. All connections use TLS 1.3. Database protected by row-level security policies that ensure users can only access their own records.

⚡

No Single Point of Failure

Graceful degradation architecture means the system keeps working even when components fail. We never return false positives under degradation - safety is the default.

What We Protect

Biometric hashes - irreversible SHA-256 hashes, stored encrypted, isolated by row-level security
API keys - hashed with SHA-256 before storage. The plaintext key is shown once at creation and never stored.
Trust scores - computed exclusively from verified events. Cannot be manually edited or artificially inflated.
Activity logs - IP addresses are hashed before storage. We never retain plaintext IP addresses.

What We Cannot Be Compromised On

Even in a worst-case breach scenario, certain data simply does not exist on our servers:

Your actual biometric data - we never have it. It is processed entirely on your device and never transmitted.
Your content - we only store cryptographic hashes of stamped content, never the content itself. A hash cannot be reversed to reconstruct the original.
Your identity - PoY proves humanness, not personal identity. We do not store names, addresses, government IDs, or other personally identifying information.

Responsible Disclosure

Found a vulnerability? Email security@proofofyou.com. We take every report seriously and will respond within 48 hours. We do not pursue legal action against good-faith security researchers.

Security Practices

Our operational security is built on continuous vigilance, not one-time audits.

Dependency Audits Regular automated scanning of all dependencies for known vulnerabilities

Webhook Verification All inbound webhooks verified by cryptographic signature before processing

Rate Limiting Tiered rate limits on all endpoints to prevent abuse and brute-force attacks

Abuse Detection Automated systems monitor for anomalous patterns and flag suspicious activity

Admin MFA All administrative access protected by multi-factor authentication

Key Rotation Service keys and database credentials rotated on a regular schedule

SOC2 and Compliance

We are pursuing SOC2 Type II certification. Our security posture is designed to meet the Trust Services Criteria for security, availability, processing integrity, confidentiality, and privacy.

Contact compliance@proofofyou.com for our current security questionnaire or to discuss your organization's specific security requirements.