Security at CAIRL

Infrastructure Security

Encryption

• At rest: All stored data is encrypted using AES-256, the same standard used by banks, governments, and military systems
• In transit: All connections use TLS 1.3, the latest and most secure transport encryption protocol
• Key management: Encryption keys are managed through isolated, access-controlled infrastructure with automatic rotation

Network and Hosting

• Hosting: CAIRL runs on Vercel's globally distributed edge network with built-in DDoS protection
• Cloud infrastructure: AWS (Amazon Web Services) provides our core compute, storage, and identity verification processing infrastructure
• Environment isolation: Development, staging, and production environments are fully isolated with separate databases, storage buckets, and access credentials. No development data touches production systems.
• Rate limiting: All public-facing endpoints are rate-limited through Upstash Redis to prevent abuse and brute-force attacks

Bot Protection

• Cloudflare Turnstile protects verification flows from automated attacks, bots, and credential stuffing without invasive CAPTCHAs

Identity Verification Security

Biometric Processing

• Biometric data (facial geometry) is processed by AWS Rekognition under our control and instruction
• Session-specific biometric data is processed in real time and is not retained after the session
• Biometric references retained for uniqueness enforcement are stored encrypted (AES-256) and are deletable at your request at any time
• CAIRL does not use biometric data for surveillance, tracking, profiling, advertising, or behavioral monitoring

Document Processing

• Identity documents are processed by AWS Textract for data extraction
• Image quality and fraud detection processing runs through AWS Lambda with isolated, ephemeral compute
• Raw document images are stored encrypted in isolated S3 buckets with per-environment access controls
• Documents can be deleted by the user at any time

Liveness Detection

• Real-time liveness checks confirm a live person is present — not a photo, video, or mask
• Liveness detection runs during the verification session and does not store session video

Access Controls

Internal Access

• Role-based access control (RBAC): Staff access to user data is scoped by role and limited to the minimum necessary for the task
• Need-to-know only: Personnel access user data only when necessary to provide support, resolve technical issues, investigate fraud, or comply with legal obligations
• Multi-factor authentication: All staff with system or data access are required to use MFA
• Audit logging: All access to user data by CAIRL personnel is logged and subject to periodic audit

User Access

• Password security: Passwords are stored as secure hashes — never in plain text
• Passkey support (CAIRL/keys): WebAuthn-based passwordless authentication available
• Session management: Sessions are scoped, time-limited, and revocable
• Consent-gated sharing: No data is shared with connected services without explicit user authorization

Application Security

Authentication Architecture

• Built on Auth.js v5 with a multi-plane authentication model
• PKCE (Proof Key for Code Exchange) with S256 enforcement on all OAuth flows
• CSRF protection on all state-changing operations
• Cloudflare Turnstile challenge on sensitive flows (verification, login)

API Security

• All API endpoints require authentication
• Pairwise HMAC-SHA256 identifiers prevent cross-platform user correlation — raw user IDs never leak to connected services
• Short-lived, scoped tokens for all integration endpoints
• Rate limiting on all public and integration endpoints

Data Architecture

• Claims-based sharing: Connected services receive verification results (claims), never raw documents or biometric data
• Pairwise identifiers: Each connected service receives a unique, non-correlatable identifier for each user
• Consent enforcement: Sharing permissions are enforced at the platform level — connected services cannot bypass user consent

Compliance Posture

Current Status

• SOC 2 Type II: We are actively pursuing SOC 2 Type II certification and are preparing for our first formal audit engagement
• HIPAA: CAIRL is not a HIPAA covered entity or business associate unless explicitly contracted under a Business Associate Agreement. Our security controls are designed to support HIPAA-aligned environments where applicable.
• BIPA / State Biometric Laws: We maintain explicit consent, retention, and deletion practices that meet or exceed requirements under Illinois BIPA, Texas CUBI, and Washington biometric privacy law
• GDPR: We act as data controller with consent (biometric) and legitimate interest (service delivery) as legal bases. Standard Contractual Clauses in place for international transfers.
• CCPA: We do not sell personal information. Users may exercise access, deletion, and opt-out rights as described in our Privacy Policy.
• COPPA: Minors participate only through guardian-managed circles with verifiable parental consent.

What We Do Not Claim

We do not represent that we hold any compliance certification until we have completed the relevant audit and received the auditor's report. Statements about our compliance posture describe our practices and intentions, not certified status.

Incident Response

Breach Notification

In the event of a data breach affecting your personal information, we will:

• Notify affected users as required by applicable law and without unreasonable delay
• Describe the nature of the breach, the data involved, and the steps we are taking
• Report to relevant regulatory authorities as required by law

Vulnerability Reporting

If you discover a security vulnerability in CAIRL, please report it responsibly to security@cairl.app. We take all reports seriously and will respond promptly. We ask that you:

• Not access data belonging to other users
• Not publicly disclose the vulnerability until we have addressed it
• Provide sufficient detail for us to reproduce and fix the issue