Trust · Security
Security you can inspect, not a badge you take on faith.
Our security isn't a claim — it's a set of mechanisms you can check. The record is append-only, identity is phishing-resistant, sensitive data is encrypted at the record, and the stack is built clean-room so there is less to trust in the first place.
This very page is verifiable — toggle Verify in the header and recompute any element
How the posture holds
Security you can inspect — not a badge you take on faith.
Append-only by construction
Every record and every access is bound into a tamper-evident hash-chain. Nobody — not even an administrator — can quietly rewrite the past; break one link and the math stops matching.
Phishing-resistant passkeys
Sign-in is a WebAuthn passkey bound to the device — no shared secret to steal, phish, or replay. The person is the key.
Encrypted at rest and in transit
Sensitive fields are encrypted at the record with AES-256-GCM (rolling in); data moves only inside authenticated, encrypted transport — TLS at the edge, sealed-header frames between our internal nodes.
Least-privilege, and every access recorded
Access is scoped to need and the access itself becomes a logged, tamper-evident event — control that is observable, not merely configured.
Clean-room, minimal attack surface
We build our own stack in Rust rather than stacking third-party software under our brand — fewer moving parts you have to take on trust.
You verify it, we don't ask for faith
Toggle Verify in the header and recompute any element of this page in your own browser. Security that resolves to something you can check.
Don't trust us — verify us
The standard isn't something we claim. It's something you run.
Toggle Verify in the header to recompute this page, or open the verifier to check the signed root, the witness quorum, and any record — in your own browser, against pinned keys.