Security

Security Policy

Last updated: June 2, 2026

Security is foundational to Certivu. This document describes our security architecture, data handling practices, and how to responsibly disclose vulnerabilities.

Cryptographic Architecture

ML-DSA (Dilithium) — NIST FIPS 204

All provenance signatures use ML-DSA (Module Lattice-Based Digital Signature Algorithm), standardized by NIST as FIPS 204. ML-DSA is post-quantum resistant — it cannot be broken by quantum computers running Shor's algorithm, unlike RSA or ECC. Certivu does not use RSA or ECC anywhere in its signing infrastructure.

SHA-3 content hashing

Content is hashed using SHA-3-256 (FIPS 202) before signing. The hash is what is signed — not the raw content. This ensures tamper detection: if a single pixel changes, the hash changes, the signature fails verification.

Private key handling

Generator private keys are generated in the dashboard and displayed to you once. Certivu does not retain private keys after generation. You are responsible for securing your private key in a secrets manager or environment variable vault. If a key is compromised, revoke the generator immediately from the dashboard — all signatures from that generator will become invalid.

Infrastructure Security

  • All traffic is encrypted with TLS 1.2+
  • Passwords hashed with argon2id (memory-hard, resistant to GPU cracking)
  • JWT sessions signed with HS256, 24-hour expiry
  • API keys are hashed before storage — raw keys are never stored
  • MongoDB Atlas with encryption at rest (AES-256) and IP allowlist
  • Redis on Upstash with TLS (rediss://)
  • HTTP security headers: HSTS, X-Frame-Options, X-Content-Type-Options, CSP
  • CORS restricted to known origins
  • Rate limiting on all endpoints via Redis sliding window

API Key Security

API keys (ctv_key_…) are the credential for programmatic access. Treat them like passwords:

  • Never commit API keys to source control
  • Store them in environment variables or a secrets manager
  • Use separate keys per environment (dev/staging/prod)
  • Rotate keys immediately if you suspect exposure — revoke from the dashboard

Watermark Transparency

Certivu's frequency-domain watermarks are a resilience mechanism, not a security guarantee. We do not claim they are unremovable. An adversary who knows the watermark format may be able to remove or overwrite it. The ML-DSA signature — not the watermark — is the authoritative trust signal. If a watermark is removed, the content is still verifiable if the original ctv_ token is available.

Vulnerability Disclosure

If you discover a security vulnerability in Certivu, please report it responsibly:

  • Email: support@certivu.ai with subject line [SECURITY]
  • Include a description of the vulnerability, reproduction steps, and potential impact
  • Do not publicly disclose the vulnerability until we have had 90 days to address it
  • Do not access, modify, or delete data belonging to other users during research

We will acknowledge your report within 2 business days and aim to resolve critical vulnerabilities within 14 days. We do not currently offer a formal bug bounty program, but we recognize researchers who help us improve security.

Incident Response

In the event of a security incident affecting user data, we will notify affected users by email within 72 hours of becoming aware of the breach, in accordance with applicable data protection laws.

Compliance

  • NIST FIPS 204 (ML-DSA)
  • NIST FIPS 203 (ML-KEM — planned, post-v1)
  • NIST FIPS 202 (SHA-3)
  • GDPR-aware data handling (see Privacy Policy)

Contact

Security issues: support@certivu.ai
General inquiries: hello@certivu.ai