Skip to main content

Trust & Security

CertNode's job is to produce records you can rely on later. So this page should be honest about what makes us trustworthy and what we are still working toward.

What we have today

The strongest claim CertNode makes is that you do not need to trust us. Receipts are independently verifiable using public standards. Anyone can verify a CertNode receipt without an account, an API key, or our cooperation.

Cryptographic verification

  • ES256 JWS signatures over canonical payloads, verifiable against public JWKS
  • RFC 3161 timestamps from FreeTSA, an independent Time Stamping Authority
  • Optional Bitcoin anchoring via OpenTimestamps for long-term durability
  • Public verification page on every receipt, free, no account required

Verification is mathematically provable. You do not have to trust CertNode to trust the receipt.

Stripe Partner

CertNode is a Stripe Partner. Three of our four Stripe apps (Reflex, Vault, Recover) are published on the Stripe Marketplace, which requires passing Stripe's review process for security, privacy, and reliability. Sentinel is in pre-submission.

Stripe Partner Directory listing →

Infrastructure on SOC 2 certified providers

  • Vercel (SOC 2 Type II) for application hosting
  • Supabase (SOC 2 Type II, HIPAA available) for database and auth
  • AWS underneath both, SOC 2 / ISO 27001 / FedRAMP certified
  • AES-256 encryption at rest, TLS 1.3 in transit

CertNode itself is not yet SOC 2 certified. The infrastructure we run on is.

Privacy and admissibility

  • GDPR-compliant data handling, including data export and erasure
  • Receipts designed for FRE 902(13) and 902(14) self-authenticating digital evidence
  • EU AI Act Article 50 alignment for AI Provenance (enforces August 2026)
  • No payment card data stored at CertNode (Stripe handles all PCI scope)

What we are working toward

Honest about the gap. As CertNode grows, the trust signals catch up.

CertNode-issued SOC 2 Type II report

Today our infrastructure providers are SOC 2 certified, which is what most of our customers actually need. A CertNode-specific report comes when scale and contract demand justify the auditor cost.

Independent penetration testing report (annual)

Targeted for the second half of 2026. Will be linked here when complete.

Bug bounty program

Reachable today by emailing security@certnode.io. Formal program with payout tiers planned.

Questions about security or compliance?

Email contact@certnode.io. We answer.

Email usHow verification works