// TRUST CENTER
Trust Center
Security posture, audit reports, compliance certifications, and subprocessors. Updated as we ship.
// FORMALLY VERIFIED CRYPTO
TLS 1.3, AEAD, and key schedule formally proven. Mathematical guarantees on critical paths, not just unit tests.
// ZERO PASSWORD AUTH
mTLS for admin access. Cookie session only after cert bootstrap. No shared secrets stored.
// BANK-GRADE HARDENING
HMAC CSRF + per-action one-shot, session rotation, drift detection, full audit attribution.
Compliance posture
- GDPR Compliant. DPA available at /dpa.
- SOC 2 Type II Audit Q4 2026.
- ISO 27001 2027 target.
- PCI-DSS We do not store cardholder data.
Security architecture
- mTLS authentication for admin and operator cabinets via internal CA
- Strict cookie scoping (host-prefixed, SameSite=Strict, HttpOnly)
- HMAC-bound CSRF tokens with per-action one-shot enforcement
- Session ticket key rotation every 24 hours, ticket TTL ≤6 hours
- Session rotation on login, role change, and 15-minute admin timer
- Append-only audit trail with 365-day retention
- Edge configuration pull-only — no inbound shell, no push agent
Subprocessors
| Name | Purpose | Region |
|---|---|---|
| Hetzner | Edge VPS (EU) | DE/FI |
| OVH | Edge VPS (US backup) | US |
| Cloudflare | DNS only (no traffic proxy) | Global |
Reports + artifacts
- SOC 2 Type II report (target Q4 2026) — available under NDA on request
- Quarterly third-party penetration test reports — under NDA
- Formal verification artifacts for the cryptographic core — under NDA
- Software bill of materials and signed-binary provenance — under NDA
Vulnerability disclosure
Found something? Email security@netspectra.org. PGP key BE45 8F3C .... Acknowledged within 24h. Bounty program planned for Q3 2026.
Safe harbor: good-faith research that does not degrade service or expose user data is welcome.
Contacts
security@netspectra.org · privacy@netspectra.org · legal@netspectra.org