Skip to main content

Security-conscious infrastructure by design.

Trust infrastructure is only as strong as the claims it can prove. ANANKE's security is built into every record, every state change, and every verification — not layered on top. Organizational data is isolated, key material never leaves its custody boundary, and every action leaves a traceable, tamper-evident record.

End-to-end encrypted
Privacy by architecture
GDPR-aligned
/

How your records are protected

Six properties that apply to every record issued through ANANKE — across Trust, T-CODE, and Sign.

Every record is cryptographically sealed at issuance

When a document or item is issued, its contents are hashed and bound to a signed record. Any modification — however minor — produces a different fingerprint. Tampering is structurally detectable, not a matter of policy.

State changes form a cryptographic chain

Lifecycle transitions — issuance, suspension, revocation — are linked in a cryptographic chain by the trust infrastructure. States cannot be silently inserted, removed, or reordered. The full history of a record is verifiable from any point in its chain.

Records are anchored to an external ledger

Cryptographic commitments are periodically anchored to Hedera Hashgraph's consensus service — an independent external ledger. This provides proof of when a record existed and what it contained, without publishing the record or its contents to any public network.

You decide what verifiers see

Verification is not public. Authorized verifier organizations access only the fields your disclosure policy permits. Different verification contexts expose different information. Nothing is visible to verifiers unless your policy says so.

Physical items carry offline-verifiable codes

T-CODE stamps link physical items to their digital trust record through a cryptographically signed barcode. The barcode payload is self-contained — it can be checked for authenticity without a network connection, then optionally confirmed online.

Protected signing services support Trust and T-CODE

Internal signing and remote trust-service mechanisms support the protected evidence created by Trust and T-CODE. ANANKE Sign is not offered as a public standalone product.

/

What we store, and what we don't

Transparency about data handling starts with being clear about what touches our systems.

What we store

Protected PDFs with embedded verification evidence
Document metadata, lifecycle status, and template configurations
Cryptographic fingerprints (hashes) and verification proof records
Verification timestamps with optional external evidence references
Audit trail entries (append-only, timestamps, actor identity)
API key metadata (hashed, never in readable form)
Your organization's settings and configurations

What we never publish or expose

No document content or personal data on public networks — only minimal non-personal verification references
No passwords or API key secrets in readable form — hashed with strong algorithms and never retrievable
No cross-organization data access — tenant isolation enforced at the database query layer
No unprotected personal data in external storage — object storage uses server-side encryption through a dedicated KMS
No financial or payment details — handled by separate payment processors
/

Infrastructure you can ask about

How the platform is built — for security teams, IT reviewers, and compliance auditors who want to go deeper. These are design goals and current implementation choices, not certifications.

Important: No certifications have been obtained. ANANKE Trust and T-CODE are not qualified trust services. ANANKE Sign is in development. These are engineering design goals only.

Keys & signing

Key custody and signing operations

Signing keys are held in a dedicated key management service — they never leave it in usable form
All signing operations are performed inside the key management boundary; the application never handles raw key material
Object storage is encrypted at rest using keys managed by the same KMS
Service-to-service communication uses mutual TLS with certificates issued by the platform's internal PKI

Audit & continuity

Tamper-evident audit infrastructure

Every issuance, lifecycle event, and verification request is recorded with actor identity and timestamp
Trust record chains include cryptographic integrity evidence — modifications to historical records are designed to be detectable
A granular Merkle manifest identifies not just that a record was modified, but which specific field changed
Audit records are retained and structured for compliance and institutional review

Identity & access

Authentication, authorization, and session management

OpenID Connect authentication with ANANKE's own identity provider; tokens are short-lived and cryptographically signed
TOTP multi-factor authentication using authenticator apps, with organization-level enforcement and brute-force lockout
Role-based permissions — administrators, issuers, verifiers, auditors — enforced at the platform layer
API keys are hashed using an industry-standard password hashing algorithm; the raw key is shown once and never stored
Rate limiting applied at the network edge on login and API endpoints
/

Access control and authentication

Controlling who can access what, and proving it.

Role-based permissions

Each team member has specific permissions based on their role. Administrators, issuers, verifiers, and auditors each see and do only what they need to. Permissions are enforced at the platform layer, not just the UI.

Secure authentication with MFA

Built-in OpenID Connect authentication with ANANKE's own identity provider. Tokens are cryptographically signed with 15-minute access token lifetimes and rolling refresh tokens. TOTP multi-factor authentication using authenticator apps is available, with organization-level enforcement, brute-force lockout, and one-time recovery codes.

API key protection

API keys are secured using industry-standard hashing. The raw key is shown once at creation and never stored; only a hashed representation and metadata are retained. Keys are scoped to your organization and can be rotated at any time.

Session management

Access tokens expire after 15 minutes. Refresh tokens are rolling and valid for 7 days — a consumed refresh token cannot be reused. Rate limiting is applied at the network edge to protect login endpoints and the API against brute-force and credential-stuffing attacks.

/

What ANANKE does not claim

Credibility requires staying below the line of proof. These are not caveats — they are hard limits that protect you from relying on capabilities we do not provide.

Not public or anonymous verification

Verification runs through the ANANKE account model. Verifier access requires an approved organizational account. Verification results are not publicly accessible by design.

No hardware security module certification

Key management is isolated in a dedicated software KMS. No certified HSM hardware is claimed. No FIPS or hardware security certification is asserted.

Not certified or compliant

No ISO, SOC, eIDAS, or similar certification has been obtained. No regulatory approval has been granted. Standards-informed engineering is not the same as certification.

ANANKE Sign is not a public product

Internal signing capabilities support Trust and T-CODE. ANANKE does not currently offer ANANKE Sign as a standalone electronic-signature service or make qualification claims.

Tamper-evident, not tamper-proof

ANANKE detects tampering through cryptographic evidence — it does not physically prevent it. No platform can guarantee the integrity of documents or items once they leave the platform boundary.

ANANKE Trust and T-CODE are not qualified trust services

ANANKE Trust and T-CODE provide verifiable evidence and tamper-detection. They are not legally qualified electronic signatures and make no qualified trust service claims. ANANKE Sign is a separate product line, currently in development. Learn more about ANANKE Sign.

Questions about security or architecture?

We are happy to discuss our security design, key management approach, and audit infrastructure with your IT, legal, or compliance team.