Skip to main content

Security

CertNode's job is to produce records you can rely on later. The strongest claim we make is that you do not need to trust us. Receipts are independently verifiable using public standards.

Cryptographic foundations

ES256 JWS signatures

Every receipt is signed with ECDSA over NIST P-256 using SHA-256. Verifiable against CertNode's public JWKS without an account.

RFC 3161 timestamps

Independent third-party timestamp from FreeTSA. Verifiable against their CA certificate with no CertNode involvement. Established legal-financial standard.

Bitcoin anchor (optional)

Hash committed to Bitcoin via OpenTimestamps. Once anchored, the receipt is immutable as long as Bitcoin is. Tamper-evidence backed by the most expensive distributed ledger to attack.

How the three-layer stack works →

Infrastructure

CertNode runs on infrastructure that is itself SOC 2 certified. CertNode is not yet SOC 2 certified as a company; the providers we run on are.

Hosting

  • Vercel (SOC 2 Type II) for application hosting
  • AWS underneath (SOC 2 / ISO 27001 / FedRAMP)
  • 99.9% uptime target

Data

  • Supabase (SOC 2 Type II, HIPAA available) for database and auth
  • AES-256 encryption at rest
  • TLS 1.3 in transit

Authentication

  • Clerk for user auth (SOC 2 Type II)
  • API keys via secure key generation
  • Webhook signature verification on every event

PCI scope

  • No payment card data stored at CertNode
  • Stripe handles all PCI scope on the payment side
  • Stripe Partner

Privacy

GDPR-compliant data handling

Including data export and erasure requests. See /privacy for details.

Content hash storage, not content storage

CertNode stores the SHA-256 of signed content, not the content itself. You retain the content; we retain the hash and metadata.

Optional prompt-hash for AI Provenance

When signing AI output, you can pass a prompt hash instead of the prompt itself. Receipt proves the prompt without exposing it.

What we are working toward

Honest about gaps. As CertNode grows, the trust signals catch up.

CertNode-issued SOC 2 Type II report

Today our infrastructure providers are SOC 2 certified, what most customers actually need. A CertNode-specific report comes when scale and contracts justify the auditor cost.

Independent penetration testing report

Targeted for the second half of 2026. Will be linked here when complete.

Bug bounty program

Reachable today by emailing security@certnode.io. Formal program with payout tiers planned.

Questions about security or compliance?

Email contact@certnode.io. We answer.

Email usHow verification works