01 · Zero-knowledge encryption
We literally cannot read your evidence.
Argon2id key derivation happens in your browser. Every evidence file is encrypted with a key derived from your master passphrase before it leaves your device. CertiFlow servers receive ciphertext. We store ciphertext. We back up ciphertext.
If CertiFlow is subpoenaed, breached, or compromised — the answer an attacker receives is mathematical static. The keys never touch our infrastructure.
Detailed ZKE algorithm spec and threat-model is published in our Data Processing Agreement Annex III. We invite independent cryptographic review on request.
02 · Tamper-evident audit chain
Every state change is hash-chained.
Each row in the audit log carries a SHA-256 hash of (its canonical representation) + (the previous row’s hash). The chain is hourly Merkle-anchored to AWS S3 with Object Lock in compliance mode — set once, immutable for the configured retention.
An auditor — or a regulator — can verify the chain independently. If a row has been added, removed, or altered, the hash chain breaks and the discrepancy surfaces at the next anchor window.
This is the foundation of audit-grade provenance. Every evidence upload, every status change, every page view by an external auditor is logged into the same chain. Nothing recorded can be quietly walked back.
03 · Eight layers of defence in depth
Each layer addresses one or more named threats. None stands alone.
| Layer | What runs | Closes |
|---|---|---|
| Edge | AWS WAF + Bot Control + 2,000 req / 5min rate limit | Indirect prompt injection at the boundary, automated abuse |
| Auth | Supabase Auth (customers) · IAM Identity Center + hardware MFA (operator) · OIDC federation (CI/CD) | Credential theft, unauthorised access |
| Transport | TLS 1.3, ALB drops invalid headers, HTTPS-only with HTTP→HTTPS redirect | Eavesdropping, downgrade attacks, request smuggling |
| Engine | 5-layer input hardening: Guardrails → OCR pipeline → input sanitiser → trust-boundary frame → strict JSON schema validator | Prompt injection, exfiltration, schema poisoning |
| Data | Pattern A discipline — customer document content NEVER persisted to durable storage. Only metadata. | Data-loss blast radius minimised by construction |
| Audit | SHA-256 hash chain over every state change, hourly Merkle anchor to S3 Object Lock (compliance mode) | Silent state change, evidence tampering |
| Identity | No long-lived AWS keys. OIDC trust narrowing to repo + branch. Hardware MFA for break-glass. | Credential leak, lateral movement |
| Backup | Daily backup to a separate AWS account with Object Lock compliance | Catastrophic data loss, ransomware |
| Process | Multi-LLM cross-review (binding rule, ADR-0012) · monthly external reviewer · CI/CD signed deploy-log watchdog (15-min detection) | Self-approved malicious change, sole-founder insider risk |
Reference frames: OWASP API Top 10 (2023), OWASP Top 10 for LLM Applications (2025), and CISA Cybersecurity Performance Goals (CPG 2.0, 2024). We deliberately do not publish "X% reduction" numeric claims — no independent benchmark of AI-attack reduction has been peer-reviewed at the time of writing.
04 · What an attacker can actually take
Honest scope — by scenario.
| Scenario | What an attacker obtains |
|---|---|
| Lawful court order, customer-specific | Ciphertext + plaintext metadata only |
| Production database breach | Ciphertext only at rest |
| Out-of-band backup vault breach | Ciphertext only at rest |
| Compromised CertiFlow insider with root | Metadata only; cannot decrypt evidence |
05 · Operational hygiene
Practices, not promises.
- No long-lived AWS credentials. CI/CD authenticates via OIDC federation, trust narrowed to the main branch of our repo. Operator access via IAM Identity Center with hardware MFA, no IAM users.
- Signed deploy-log watchdog. Every CI/CD deploy is signed and recorded in an out-of-band log. A 15-minute watchdog alerts on any deploy that lacks a matching pull request.
- Multi-LLM cross-review (ADR-0012). Every architectural decision and every engine prompt change is reviewed by a second large language model independent of the one that drafted it. Binding rule.
- Monthly external reviewer. During the sole-founder period an independent reviewer signs off on the audit log, the deploy log, and the access log monthly. Retires when CertiFlow hires a second engineer with a same-day code-review SLO.
- Out-of-band backup vault. Daily encrypted backup to a separate AWS account with Object Lock compliance mode enabled. The backup account’s credentials are not reachable from the production runtime.
06 · Sub-processors
Materially shorter list than incumbents.
Because evidence is held under zero-knowledge encryption, no sub-processor sees plaintext. The disclosure list is therefore materially shorter than incumbent GRC vendors. Full disclosure with jurisdictions, processing purposes, and Data Processing Agreement references in the sub-processor list.
07 · Compliance posture
What we ship vs what we are pursuing.
- · ZKE applied to all customer evidence
- · Hash-chained audit log + hourly Merkle anchor
- · OIDC federation + hardware MFA
- · Daily out-of-band encrypted backups
- · GDPR / UK GDPR / FADP / POPIA mappings active
- · SOC 2 Type I attestation (own posture)
- · ISO/IEC 27001:2022 certification (own posture)
- · Penetration test report (annual)
- · AWS Shield Advanced — gated by MRR threshold
Found a security issue? Or have a procurement question?
Report security issues to security@certiflow.com. Procurement and Trust Center questions to trust@certiflow.com. We respond within one business day; security reports get acknowledged within four hours.
Companion pages: live status · CertiFlow’s own Trust Center · Data Processing Agreement.