how it workspricingindustriessecuritydocs
security

Security is the foundation.

pruv is a cryptographic primitive. Security is not a feature added on top. It is the entire product.

Cryptographic verification

SHA-256 hashing creates tamper-evident chains of state transitions. Every entry's XY proof is computed from the canonical representation of the before state (X) and after state (Y), combined with the timestamp and link to the previous entry.

The chain rule ensures that Entry[N].x == Entry[N-1].y. Any modification invalidates all subsequent hashes. Tampering is mathematically detectable.

Data protection

In transit
TLS 1.3 — HSTS enforced, certificate transparency monitored
At rest
AES-256-GCM — keys rotated regularly via dedicated KMS
Hashing
SHA-256 — canonical JSON, deterministic results
Signatures
Ed25519 — non-repudiation, independently verifiable
API keys
SHA-256 hashed — never stored in plaintext, pv_live_ / pv_test_ prefix
Secrets
Auto-redacted — detected and removed before entering the chain

Auto-redaction patterns

Sensitive data is automatically detected and redacted before it enters the chain. Redacted values are replaced with hash commitments. The proof remains verifiable after redaction.

sk_live_*, sk_test_*
Stripe API keys
pv_live_*, pv_test_*
pruv API keys
ghp_*, gho_*, ghs_*
GitHub tokens
AKIA*
AWS access keys
password, secret, token
Generic secret fields

Infrastructure

DDoS protection
Cloudflare WAF and CDN on all endpoints
Rate limiting
Sliding window on all API endpoints
SOC 2 Type II
Security, availability, and confidentiality controls
Pen testing
Regular third-party penetration testing and audits

Responsible disclosure

If you discover a security vulnerability in pruv, report it to security@pruv.dev. We acknowledge reports within 24 hours and provide a fix within 72 hours for critical issues.