Skip to main content

Security & Trust

Built for enterprise compliance from day one. Transparent security practices and independent audits.

View CertificationsRequest Security Audit
🔒
RFC 3161
Certified Timestamps
🛡️
GDPR
Compliant
🔐
256-bit AES
Encryption
⏱️
99.9%
Uptime SLA

Compliance Certifications

Independently audited security and compliance standards

Cryptographic Verification

Every receipt is cryptographically signed and independently verifiable through RFC 3161 certified timestamps.

RFC 3161 timestamps from independent TSA
ES256 digital signatures (JWS)
Optional Bitcoin blockchain anchoring

Verification is mathematically provable — no need to trust CertNode

GDPR Compliant

CertNode is compliant with the EU General Data Protection Regulation (GDPR).

Data Processing Agreements (DPA) available
Right to erasure (deletion) implemented
Data portability (export) available
EU data residency options

HIPAA Available (Enterprise)

HIPAA-compliant infrastructure available for Enterprise customers handling PHI.

Business Associate Agreement (BAA) available
PHI encryption at rest and in transit
Access logging and audit trails

Contact sales for HIPAA-compliant deployment

PCI DSS Level 1

CertNode does not store, process, or transmit payment card data. We create receipts after payment processing.

No card data storage = No PCI scope
Integrates with PCI-compliant processors (Stripe)

Infrastructure Security

Enterprise-grade security built on industry-leading cloud infrastructure

🔐

Encryption Everywhere

At rest: AES-256 encryption for all data
In transit: TLS 1.3 for all connections
Key management: AWS KMS with rotation
Database: Encrypted PostgreSQL (Supabase)
🔑

Access Control

Authentication: SSO via SAML/OIDC (Enterprise)
MFA: Required for all admin accounts
RBAC: Role-based access control
API keys: Scoped permissions and rotation
📊

Monitoring & Logging

Audit logs: All API calls logged and retained
Intrusion detection: AWS GuardDuty + Cloudflare WAF
Anomaly detection: AI-powered threat detection
Uptime monitoring: 24/7 automated monitoring
💾

Backups & Recovery

Automated backups: Hourly incremental, daily full
Retention: 30 days point-in-time recovery
Geo-redundant: Multi-region replication
RTO/RPO: 4hr RTO, 1hr RPO (Enterprise)
☁️

Cloud Infrastructure

AWS: SOC 2, ISO 27001, FedRAMP certified
Vercel: Edge network with DDoS protection
Supabase: PostgreSQL with Row Level Security
Cloudflare: WAF, DDoS protection, rate limiting
🎯

Security Testing

Penetration tests: Annual third-party pentests
Vulnerability scans: Weekly automated scanning
Dependency scanning: Continuous CVE monitoring
Bug bounty: Private program (invite-only)

Security Team & Processes

Security Team

CertNode's security is overseen by experienced security engineers with backgrounds in cryptography, compliance, and infrastructure security.

• Dedicated security engineering team
• 24/7 security monitoring and incident response
• Quarterly security training for all employees
• Background checks for all team members with data access

Incident Response

We maintain a formal incident response plan with defined procedures for detection, containment, and recovery.

Detection: Automated alerts for anomalies
Response time: <1 hour for critical incidents
Communication: Transparent disclosure within 72 hours
Post-mortem: Public reports for all incidents affecting customers

Responsible Disclosure

We welcome security researchers to report vulnerabilities through our responsible disclosure program.

Report: security@certnode.io (PGP key available)
Response time: Initial response within 24 hours
Remediation: Critical issues patched within 7 days
Recognition: Security Hall of Fame + bounties (private program)

Transparency & Accountability

Real-time visibility into our security and operational status

📈

Status Page

Real-time uptime and performance metrics

View Status →
📄

Security Reports

Download our latest security reports

Request Reports →
📧

Security Contact

Report security issues or ask questions

security@certnode.io