Skip to main content
TruepixID
Trust & Safety

Security Overview.

Last updated: Oct 10, 2025Verified, Not Stored™Privacy-first by design
Approach

TruepixID is built on a simple principle: Verified, Not Stored™. We generate receipt-backed Integrity Records for photos and short videos while minimizing the data we hold and the time we hold it. Security is layered, auditable, and privacy-first by design.

01

Encryption

In Transit

TLS (HTTPS) for all client↔server communications. No unencrypted channels.

At Rest

Server-side encryption with AWS KMS (SSE-KMS) for integrity-recorded artifacts and metadata.

Key Management

Scoped KMS keys with least-privilege grants and rotation policies.

Secrets

Application secrets stored in AWS Secrets Manager / environment vaults — never hard-coded in source.

02

Regional Data Residency

Choose where your integrity-recorded artifacts reside. Buckets, keys, and lifecycle policies are isolated per region to keep sovereignty simple and auditable.

USUnited Statesus-east-1 · Virginia
CACanadaca-central-1 · Montréal
  • Region-specific S3 buckets and KMS keys
  • No cross-region replication for integrity-recorded artifacts
  • Service endpoints constrained to the selected residency
03

Short Retention & Deletion Receipts

We keep only the processed artifact — not the original — and only for a short, transparent period. Lifecycle rules enforce automatic deletion at expiry.

Option 1
15
days
Option 2
30
days
Option 3
60
days
Option 4
90
days
  • Automated lifecycle delete jobs with audit logs
  • Deletion receipts include UTC time and file hash
04

Platform Security

01

Network

Private VPC, security groups, and restricted egress for internal services.

02

Access Control

IAM least-privilege, role-based access, and scoped service roles.

03

Edge Protection

WAF rules, rate limiting, and abuse detection for uploads and Integrity Record sessions.

04

Auditability

Structured logs for Integrity Record processing, deletion, and admin actions with alerting on anomalies.

05

Build Pipeline

Dependency pinning and provenance checks as part of CI.

05

Privacy by Design

  • No permanent storage of originals
  • Strict minimization of metadata (only what's needed for integrity records)
  • Clear user controls and receipts for deletion
  • Plain-language policies — see Privacy Policy
Verified, Not Stored™ — Integrity Records travel with your media, not our servers.
06

Compliance & Standards

We align with modern privacy frameworks and security best practices. Formal certifications vary by plan and deployment — contact us for current scope.

Canada

PIPEDA

Privacy principles aligned with Canadian federal law.

California

CPRA

Consumer privacy rights and data minimization practices.

Europe

GDPR

Privacy-by-design principles aligned with EU regulation.

  • Encryption and key management aligned with AWS best practices
  • Data residency controls (US / Canada) and documented lifecycle deletion
07

Responsible Disclosure

We appreciate reports from the security community. If you believe you've discovered a vulnerability, please reach out privately so we can investigate and remediate quickly.

Email security@truepixid.com with steps to reproduce. We'll acknowledge receipt and keep you updated on remediation. — View full disclosure policy →
08

Contact

Security
security@truepixid.com

Vulnerabilities & security reports

Privacy
privacy@truepixid.com

Data & privacy inquiries

General
hello@truepixid.com

General questions & support

Questions about how we protect your data?

Security is built in, not bolted on.

Contact Security TeamDisclosure Policy
TRUEPIXID™  ·  VERIFIED, NOT STORED™  ·  PATENT PENDING U.S. 19/653,094