// trust center
Trust
Honest current state. We'd rather under-promise here than over-claim compliance posture we haven't actually shipped yet.
Current security state
- ▸Open-source sandbox deployment at sybilshield.org. All detection code is MIT-licensed and auditable in the public repo.
- ▸No production customer data is processed in the public sandbox. SybilShield is a free public good — there is no paid engagement or billing.
- ▸Backend on a single VPS (Hetzner CX22) with daily local
pg_dumpbackup. Off-site backup planned. - ▸TLS 1.3 via Let's Encrypt; secrets in
.env, never committed; UFW + fail2ban on the host; root SSH disabled; password auth disabled (keys only). - ▸Per-customer rate-limits + monthly call-quota enforcement live. Bearer-token auth with HMAC-signed webhook delivery.
Security posture
SOC 2
Not started
Planned after incorporation and first production customer data handling.
Pentest
Not scheduled yet
Planned before production launch. No vendor selected.
Encryption
Active
TLS 1.3 in transit, AES-256 at rest (Postgres + filesystem). Secrets in env, not source.
SDLC
Active
Public repo + signed commits + CI test gates. Secret scanning via GitGuardian on push.
Compliance matrix
| framework | scope | status | artifact |
|---|---|---|---|
| GDPR | EU users / EU PII | Compliant | Privacy notice |
| CCPA | California users | Compliant | Privacy notice §8 |
| SOC 2 Type I | Service org controls | Not started | Planned after incorporation |
| SOC 2 Type II | Operating effectiveness | Planned | After SOC 2 Type I |
| ISO 27001 | InfoSec mgmt | Backlog | 2027+ |
| PCI-DSS | Card data | Out of scope | No payments — free public good |
Audit log
Every flagged score, every appeal, every reversal is written append-only toevidence_audit_log. Customers can export their slice via GET /v1/audit-log?analysis_id={id}.
{
"event_id": "evt_01HX...",
"event_type": "flagged",
"address": "0xa12b...c4d7",
"actor": "system:v0.5.0-gov-expanded",
"prior_score": null,
"new_score": 87,
"reason": "sybil",
"timestamp": "2026-05-25T08:14:22.118Z"
}