── Security & Compliance ──

The seal is the evidence.

Verdict's product is cryptographic integrity. Our security posture is therefore existential, not competitive. This page documents architecture, certifications, sub-processors, and disclosure policy. If you are a CISO evaluating Verdict, this is the page your team will demand.

── Certifications & Conformance ──

SOC 2 Type II
In Progress (Q3 2026)
EU AI Act Article 12
Conforming
FRE 902(14)
Certified Template
GDPR Article 17
Hash-Preserving Redaction
ISO 27001
Roadmap (2027)
HIPAA
Roadmap (2027)

── Cryptographic Architecture ──

  • Hash function
    SHA-256 (FIPS 180-4) — content-addressed events
  • Tree structure
    RFC 6962 Merkle tree — one root per evidence batch
  • Signing
    Ed25519 (RFC 8032) — keys generated and stored in AWS CloudHSM (FIPS 140-2 Level 3)
  • Transparency log
    Sigstore Rekor — every Merkle root anchored publicly
  • Per-tenant chain
    prior_root linkage — tampering one record invalidates all subsequent records for that tenant
  • Redaction
    Hash-preserving — payload removable, Merkle proof intact
  • Key rotation
    Quarterly Ed25519 keypair rotation; old keys archived in HSM for verification only
  • Time anchoring
    Roughtime + Rekor timestamp tokens (RFC 3161 compatible)

── Sub-Processors ──

Sub-processorPurposeRegion
VercelEdge hosting + CDNGlobal
SupabasePostgres + storageus-east-1, eu-west-1
AWS KMS / CloudHSMEd25519 HSM signingus-east-1
Sigstore Public GoodRekor transparency log anchoringGlobal
ResendTransactional + audience emailus-east-1

── Vulnerability Disclosure ──

We treat security disclosures with extreme seriousness. Our product is cryptographic integrity; if that integrity can be broken, we want to know first.

  • EMAILsecurity@verdict.systems
  • PGP/security.txt (RFC 9116 conforming)
  • SLATriage within 24 hours; remediation timeline communicated within 7 days
  • HALL OF FAMEPublic acknowledgment for valid reports (with researcher consent)

We follow Coordinated Vulnerability Disclosure. Please give us 90 days from triage before public disclosure unless the vulnerability is being actively exploited in the wild.

Request our security questionnaire response →