Scale Soft

Compliance & Security

Trust & Assurance

Our architecture

ProofKit relies on hardware-backed key storage at the point of capture — the iOS Secure Enclave on Apple devices, and the Android Keystore (StrongBox preferred) on Android. A device keypair is generated on first SDK initialisation. The private key is non-exportable: it never leaves the secure hardware boundary.

Every photo and video produced by the SDK is signed using Ed25519. The signature covers a SHA-256 content hash, a GPS coordinate, an ISO 8601 timestamp, and a device identity claim. The resulting attestation is packaged as a signed JSON manifest and embedded in the media file.

Verification is deterministic. Any party with access to the Scale Soft public key can independently confirm that a file has not been altered since the moment of capture.

Public key and trust model

Scale Soft publishes its signing public key as a JSON Web Key Set (JWKS) at:

https://proofkit.scalesoft.net/api/v1/well-known-jwks

The key is an Ed25519 public key (alg: EdDSA, crv: Ed25519). Enterprise customers can fetch and pin this key in their own verification infrastructure, achieving full trust-chain resolution independent of any third-party registry.

This means verification works today, with our verifier at /verify or with any infrastructure that fetches our published public key. There is no dependency on external certificate authorities or third-party certification bodies.

Certifications

Scale Soft is not currently SOC 2 or ISO 27001 certified. Our security posture is based on the architectural commitments described above: non-exportable hardware-backed keys, published JWKS, deterministic verification, and no third-party CA dependency.

For enterprise procurement reviews, our current security documentation, roadmap, and any specific questionnaire responses are available on request: security@scalesoft.net.

Contact for procurement and security reviews

For technical security reviews, penetration test coordination, and procurement questionnaires:

security@scalesoft.net

Expected response time: 2 business days.