Security, compliance, and incident posture.
Attestyx is built for organizations that take integrity seriously. This page surfaces the operational truth: encryption, key management, access control, compliance frameworks, sub-processors, and incident history. No marketing claims you can't verify.
Security controls
14 categories below. Each maps to specific platform implementation, not a generic framework citation. The detailed Information Security Policy at/legal/information-security-policyis the authoritative source.
Encryption at rest
AES-256-GCM for all stored data including document vault content. Server-side AES-256 on Hetzner Object Storage (jil-sdv bucket).
Encryption in transit
TLS 1.3 for all client-to-edge and service-to-service connections. Postgres over TLS. Cloudflared tunnels for edge-to-origin.
Password hashing
Argon2id with platform-wide pepper. Memory cost >= 64 MiB, time cost >= 3.
Multi-factor authentication
Available for all users; required for break-glass operator access and disbursements >= $1M.
Access control
Role-based with least-privilege defaults. 6 user types (Foundation / Grantee / Council / JIL Operator / Auditor / Regulator). Quarterly access reviews.
Key management
HMAC webhook signing keys + CREB attestation keys stored separately from data. Rotation procedures documented in internal Key Management Standard.
Webhook signing
HMAC-SHA256 over timestamp + body. X-JIL-Signature header per Stripe convention. Replay protection via timestamp tolerance.
Document content addressing
SHA-256 content hash; sdv-storage dedupes at the object layer. Immutable for the lifetime of the attestation.
Audit logging
Merkle-chained audit log captures action / actor / outcome / timestamp. Every privileged action recorded; tamper-evident.
CourtChain anchoring
14-of-20 BFT validator quorum across 13 jurisdictions. Ed25519 + Dilithium-III hybrid signatures. < 60 minute anchor latency target.
Network security
Production network is TLS-only at edge. Internal services on private Docker network. WAF + DDoS at edge.
Vulnerability management
CVE scanning on every CI run. Annual third-party penetration testing. Critical patch SLA 7 days; high 30; medium 90.
Incident response
P1/P2/P3/P4 classification. PHI breach notification within 60 days per HIPAA § 164.410. GDPR Personal Data Breach within 72 hours per Art. 33.
Backup + recovery
Postgres point-in-time recovery. Sub-processor S3 versioning. Tested DR procedure with RPO < 24h, RTO < 4h.
Compliance frameworks
Eight regulatory frameworks across data protection, healthcare, financial, and evidentiary categories. Each is mapped to a specific applicable population and the corresponding platform mechanism.
| Framework | Regulation | Applies to | Status |
|---|---|---|---|
| GDPR | Regulation (EU) 2016/679 | EU/UK/CH grantees + foundations | Compliant; DPA + SCC Module 2 published |
| HIPAA / HITECH | 45 CFR 160 + 164; HITECH Subtitle D | Programs incidentally encountering PHI | BAA template published; SOC 2 Type II audit Q4 2027 |
| CCPA / CPRA | Cal. Civ. Code § 1798.100 et seq. | California residents | Privacy notice provides opt-out + deletion |
| LGPD | Lei nº 13.709/2018 | Brazil residents | Compliant; per-jurisdiction supplement at /legal/br-oscip-lgpd |
| PDPA Singapore | Act 26 of 2012 | Singapore residents | Compliant; consent + legitimate interest framework |
| UAE PDPL | Federal Decree-Law No. 45/2021 | UAE residents | Compliant; per-jurisdiction supplement pending |
| FRE 902(14) | Federal Rule of Evidence 902(14) | CREB attestation admissibility | Operational - every CREB satisfies certified-electronic-record requirements |
| BSA / OFAC | 31 USC 5311 + 50 USC 1701 | All jurisdictions | Daily multi-list screening; non-MTL posture documented |
Sub-processors
Foundations on Tier 2 engagements receive 30 days' advance notice of any sub-processor change. Subscribe to the sub-processor change feed at attestyx.com/api/v1/sub-processors/feed. Authoritative list at /legal/sub-processor-list.
| Sub-processor | Purpose | Processing region | Certifications |
|---|---|---|---|
| Hetzner Online GmbH | Hosting (compute + storage) | Nuremberg DE; Helsinki FI | SOC 2 Type II + ISO 27001 |
| Cloudflare, Inc. | CDN, DNS, edge TLS, DDoS protection | Global edge; pinned EU+US | SOC 2 Type II + ISO 27001 + PCI DSS |
| Stripe, Inc. | Tier 2 billing and invoicing | United States | SOC 1/2 Type II + PCI DSS Level 1 |
| AWS Bedrock + Anthropic | Optional LLM-enhanced narrative analysis (env-gated) | us-east-1; no model training on customer data | SOC 1/2/3 + ISO 27001 + HITRUST |
| OpenSanctions / Yente | Sanctions and PEP screening data | Berlin, Germany | GDPR-compliant; open-source upstream |
Compliance + audit roadmap
- Privacy + DPA + BAA published
- Vulnerability disclosure policy live
- Multi-list sanctions screening operational
- CourtChain anchoring operational
- Anonymous whistleblower portal
- Trust Center dashboard live metrics
- First annual penetration test
- ISO 27001 readiness review
- WCAG 2.2 Level AA third-party audit
- SOC 2 Type II observation period begins
- GDPR Art. 27 EU Representative appointment
- SOC 2 Type II observation period ends
- SOC 2 Type II report published
Incident history
Vulnerability disclosure
If you believe you have discovered a security vulnerability, report it confidentially to [email protected]. Acknowledgment within 5 business days, remediation timeline within 15 business days.
Safe harbor for good-faith research per the policy at /legal/vulnerability-disclosure.
Compliance contact
Privacy:[email protected]
Data Protection Officer:[email protected]
Whistleblower:[email protected]
Legal:[email protected]