Certificate Authority
Trust Center
CertifiedData acts as a certificate authority for AI artifacts. This page documents our cryptographic primitives, key management practices, public transparency surfaces, and how to independently verify everything we claim.
Cryptographic primitives
Deployed| Certificate signing algorithm | Ed25519 (RFC 8032) |
| Dataset fingerprinting | SHA-256 |
| Payload canonicalization | RFC 8785 JSON Canonicalization Scheme |
| Public key format | Base64-encoded Ed25519 public key |
| Signature encoding | Base64 with ed25519: prefix |
All cryptographic operations use audited standard-library implementations. No custom cryptography.
Key management
Deployed| Active keys published at | /.well-known/signing-keys.json |
| Private key storage | Encrypted at rest, never exposed via API |
| Key rotation | Periodic; immediate on suspected compromise |
| Revocation | Reflected in /api/verify and signing-keys endpoint |
See the Signing Key Infrastructure doc for full lifecycle details.
Signing key docs →Independent verification
No account required| Public verification endpoint | POST /api/verify |
| Certificate retrieval | GET /api/certificates/{certId} |
| Signed manifest download | GET /api/certificates/{certId}/download |
| Local verification | sha256sum + openssl pkeyutl (no SDK needed) |
Verification requires no account, API key, or trust in CertifiedData beyond the published public key.
Verification spec →Public transparency
Live| Certificate log | /transparency/certificates — all issued certificates |
| Dataset registry | /transparency/datasets — all certified datasets |
| Decision logs | /transparency/decisions — governance audit trail |
| Signing keys | /.well-known/signing-keys.json — active public keys |
Data handling
Platform policy| Input data | Schema definitions and sample data used only during generation; not retained for other purposes |
| Generated data | Synthetic — no real personal data |
| PII scanning | Available via @certifieddata/pii-scan before generation |
| Logs | Audit logs retained per plan tier; configurable retention on Govern plan |
Responsible disclosure
OpenIf you discover a security vulnerability in CertifiedData — including issues with certificate issuance, key management, or the verification pipeline — please report it to [email protected]. We aim to acknowledge reports within 48 hours.