CertifiedData.io
Security

Security architecture

CertifiedData is built for regulated environments. Cryptographic correctness and auditability are the foundation — not an afterthought.

Cryptographic signing

  • Ed25519 digital signatures on all certificates
  • Private keys stored in isolated database table (certificate_signing_keys) — never exported
  • Signatures stored as base64url; raw 32-byte public key published for cross-language verifiers
  • SHA-256 dataset fingerprinting with RFC 8785 canonicalization

Authentication

  • Supabase JWT authentication — HS256 and RS256 supported
  • API keys for programmatic access — scoped per user and rotatable
  • Session management via connect-pg-simple with server-side session store
  • Supabase bearer token attached to all mutating requests

API security

  • CSRF protection on all state-changing endpoints
  • Strict rate limiting on mutating routes (strictApiRateLimiter)
  • Public verification endpoints use separate rate limiter (publicVerifyLimiter) — no auth required
  • Raw data upload blocked at middleware layer with audit logging

Data handling

  • Synthetic datasets stored in Supabase Storage (not local disk in production)
  • Artifacts expire based on subscription tier — enterprise retention is indefinite
  • PII scanning available via @certifieddata/pii-scan before certification
  • No real dataset records are stored — only schema, hash, and metadata

Audit trail

  • All generation, certification, and verification events written to audit_vault_records
  • Public decision log is hash-chained — any modification breaks the chain
  • Log checkpoints computed and stored for integrity verification
  • Admin actions logged separately in audit_logs table

Infrastructure

  • Deployed on Railway — isolated container per service
  • Database: Neon Postgres (us-east-2) with connection pooling
  • TLS enforced on all endpoints — certifieddata.io
  • Cloudflare R2 for artifact storage with signed URL access

Responsible disclosure

If you discover a security vulnerability in CertifiedData, please contact us before public disclosure. We review all reports promptly.

[email protected]
Trust framework →Governance →