Encryption in Transit and at Rest: Data is encrypted in transit via TLS and at rest using AES-256 for all persistent storage, including customer content and event streams.
Key Management: We use a dedicated Key Management System (KMS) that manages the lifecycle, storage, rotation, and auditing of cryptographic keys.
Cryptographic Integrity: We utilize secure key management and standardized protocols to ensure the authenticity and tamper resistance of verifiable credentials.
Privacy-First Anchoring: For deployments utilizing distributed ledger technology, we implement a PII-Off-Chain architecture to ensure no PII is written to public registries, supporting the Right to be Forgotten.
Flexible Root of Trust: Customers determine how the root of trust is anchored within the platform, with the option to utilize a decentralized public ledger for high attack resistance or established web domains.
Secure Software Development: All code undergoes mandatory peer reviews. Automated CI/CD pipelines perform static code analysis and vulnerability scanning, enforcing gates that block insecure code releases. AI-generated outputs are treated as untrusted until verified by an independent reviewer.
Multi-factor authentication: MFA is enforced for all personnel accessing internal environments, cloud infrastructure, and administrative tools.
Detection & Monitoring: Automated systems monitor and alert for security anomalies. Diagnostic logs utilize automated PII masking to maintain data minimization.
Incident Response Protocol: An established protocol exists for containing and remediating security events, including a defined escalation path for customer notification in case of data breach.
Resilience & Recovery: Services are hosted on certified cloud infrastructure with data durability maintained through regular, encrypted backups.
Compliance & Assessments: Infrastructure partners maintain ISO 27001 and SOC 2 Type II certifications. We perform regular internal security assessments and independent penetration testing.
Confidentiality & Training: Personnel are bound by confidentiality obligations and receive training on privacy, data protection, and responsible AI usage.
2. Decentralized Platform Access (UniTrust)
Authorized Access: Administrators manage access by adding specific users by their email address or authorize entire corporate domains to the UniTrust list. Access is then restricted to individuals with organization controlled business email addresses.
Enforced Multi-Factor Authentication: We automatically enforce multi-factor authentication for all UniTrust logins through a process that requires the UniMe wallet on a mobile device combined with biometric confirmation or a secure password. Identity Proofing & Access Credentials: Access is initiated by an authorized user self-attesting ownership of their business email address via the UniMe wallet. Following this request, the user receives a one-time PIN-based verification email to confirm email control. Upon successful verification, the user receives a final email containing a QR code, which they can scan with the UniMe wallet to collect their access credential.
Credential-Based Login: Platform entry requires the presentation of the access credential via the UniMe wallet. This utilizes cryptographic proofs to eliminate traditional passwords and mitigate risks like phishing or credential stuffing.
3. On-Device Security (UniMe)
Rust-Based Software Enclave: The UniMe wallet utilizes a Rust-based software enclave to isolate secrets from the operating system, providing memory safety and process integrity. For maximum security, this is integrated with the device’s native hardware-backed isolation to protect the cryptographic root of trust.
Data Sovereignty: The UniMe wallet operates on a zero-access basis. We do not collect, store, or have access to any personal data held within the wallet. All data remains exclusively on the user's device and is only transmitted when the user explicitly chooses to share it with a third party.
User Control: Data remains on the user's device and is only transmitted when the user explicitly chooses to share it. All interactions are managed by the end user.
Biometric & Password Protection: Wallet access is protected by native biometric verification (FaceID and TouchID) or a user defined password.
Data Recovery In the event of device loss, recovery is currently managed by requesting the re-issuance of credentials from the original issuers. A secure, privacy-preserving backup and recovery solution is planned.
4. Vulnerability Disclosure
We appreciate any efforts to help keep our services safe. If you have identified a potential vulnerability, you can find our public encryption key and reporting instructions at: https://www.impierce.com/.well-known/security.txt
5. Contact
If you have any questions about our security practices, please contact us at: security@impierce.com
Get started
Empower your organization in the digital world with trust