Security
How VerifiedState protects your data and assertions.
Cryptographic signing
Every verification receipt is signed with Ed25519 via the Web Crypto API. Signing keys are stored exclusively in Cloudflare Secrets — never in source control, environment files, or databases.
Append-only assertions
Assertions cannot be updated or deleted through normal operations. To correct a fact, you retract the old assertion and insert a new one. The original record is preserved for audit. This design ensures a tamper-evident history.
Namespace isolation
All data is scoped to namespaces. Your assertions, artifacts, and memory are accessible only to API keys authorized for your namespace. There is no cross-namespace data leakage.
Encrypted token storage
OAuth tokens for connected integrations (GitHub, etc.) are encrypted at rest using AES-GCM-256 before storage. Encryption keys are managed via Cloudflare Workers secrets.
Transport security
All API traffic is served over TLS via Cloudflare's edge network. API keys are required for every authenticated endpoint. Rate limiting is enforced per-IP at 60 requests per minute per worker.
Infrastructure
- Compute: Cloudflare Workers (edge, no persistent server)
- Database: Supabase Postgres with Row-Level Security enabled
- Object storage: Cloudflare R2
- Secrets: Cloudflare Workers Secrets (no plaintext keys in config)
Reporting vulnerabilities
If you discover a security vulnerability, please report it to support@verifiedstate.ai. Do not open public issues for security bugs. We will acknowledge receipt within 48 hours.