Legal

Security Overview

Effective: May 7, 2026

This page summarizes security controls currently used by Evidentia during Open Beta. It is a product security overview, not a certification or audit report.

Legal documents are currently provided in English only.

Translations, if provided, are for convenience and informational purposes only.

The English version governs in case of conflict or ambiguity.

Operator

Evidentia is operated by L-ark Inc.

Security contact

For security questions or vulnerability reports during Open Beta, use the Contact page as the primary contact path.

Current controls

  • Cloudflare Turnstile or equivalent bot protection for sensitive public flows such as signup, login, and plan inquiries.
  • Rate limiting for authentication, proof, contact, and admin-related endpoints.
  • Two-factor authentication support, with stronger requirements for admin accounts.
  • Hashed API key storage, with full API keys shown only at creation or regeneration time.
  • Public proof visibility controls so proofs are public only when marked public.
  • Security headers for browser hardening, including frame, content type, referrer, and permissions policies.
  • Fail-closed verification behavior where missing or invalid proof data should not be treated as verified.
  • Session cookie hardening and server-side authorization checks for protected areas.

Security limitations

  • No system can guarantee absolute security.
  • Open Beta controls may change as the product matures.
  • Security controls reduce risk but do not eliminate all operational, customer-side, integration, legal, or compliance risk.
  • Customers remain responsible for securing their own systems, API keys, credentials, logs, infrastructure, and data flows.

Signing and trust infrastructure

Evidentia currently verifies proof record integrity and consistency with chain anchors. We are introducing Platform Trust Infrastructure to record public key fingerprints, key versions, and key-state history for Evidentia’s own signing keys.

  • Current beta architecture focuses on verification flow validation, integrity verification, tamper detection, and operational testing.
  • KMS/HSM-backed key protection, external attestation, and advanced key rotation audits are planned as part of future Production Trust Infrastructure.
  • Open Beta does not currently provide externally audited key custody guarantees, HSM-backed signing guarantees, certified trust infrastructure, or regulatory certification.
  • Future production architecture may include persistent signing identities, KMS/HSM-backed signing, externally auditable trust infrastructure, key rotation policies, and independent attestation.

Recommended customer practices

  • Call Evidentia APIs from backend services only.
  • Store API keys only in server-side environments such as environment variables, secret managers, or CI/CD secrets.
  • Do not place API keys in frontend code, mobile apps, GitHub, browser storage, or logs.
  • Submit hashes, summaries, and metadata instead of raw prompts, outputs, personal data, or confidential information unless explicitly intended.
  • Keep operational logs, business records, internal audit trails, and retention controls in the customer system.