Legal · Security Practices

Security Practices

Effective September 15, 2024 · Last updated February 2025

Applies To

SDKs, Libraries, Hardware

Deployment

Customer-Operated

Security Contact

Disclaimer for the download/accept screen of the App: By installing or using ONEPROOF applications and SDKs, you are agreeing to the terms of our current Privacy Policy, Terms of Use, Cookie Policy, and Acceptable Use Policy. We encourage you to read, revisit, and use these documents to help you make informed decisions.

ONEPROOF INC Security Practices for ONEPROOF Mobile Identity SDKs, Libraries, Container Images, and Hardware Products

This Security Information document applies to ONEPROOF INC (“ONEPROOF”) mobile identity SDKs, client libraries, container images, and Edge hardware products (collectively, the “Software”). ONEPROOF does not operate a hosted cloud service; all Software is deployed and operated by the customer in their own environment. This document describes ONEPROOF’s security practices as a software and hardware vendor, and what enterprise customers receive as part of every engagement.

Security is built into our platform at two levels: at the cryptographic protocol level through strict ISO 18013-5 and ISO 18013-7 implementation, and at the software delivery level through continuous CVE monitoring, secure development practices, and supply chain integrity controls across every published artifact.

01Security Framework and Governance

ONEPROOF’s security program is aligned with industry-recognized frameworks:

—NIST Cybersecurity Framework: Our development and operational practices are aligned with the NIST CSF Identify, Protect, Detect, Respond, and Recover functions
—OWASP Security Guidelines: All application and SDK development follows OWASP recommendations for secure software design
—Secure Development Lifecycle (SDLC): Security is integrated throughout the development process from design through release, including threat modeling and security review at each stage

02SDK and Package Security

Every ONEPROOF enterprise engagement includes ongoing security maintenance of the Software artifacts you receive:

—CVE Monitoring: All published SDKs, libraries, and container images are continuously monitored against known CVE databases. When a relevant vulnerability is identified, a patched release is issued and enterprise customers are notified
—Dependency Scanning: All third party dependencies across every SDK and library are scanned for known vulnerabilities at build time and on an ongoing basis
—Container Image Scanning: All published container images are scanned for CVEs prior to release. Patched image versions are distributed to customers as part of the enterprise service
—Security Patch Distribution: Security fixes are distributed as SDK and library updates. Enterprise customers receive direct notification of security releases with remediation guidance
—Software Bill of Materials (SBOM): SBOM is available to enterprise customers on request, providing full visibility into the dependency tree of every delivered artifact

03Supply Chain Security

ONEPROOF maintains integrity controls across the software supply chain:

—Artifact Signing: Published SDKs, libraries, and container images are signed. Customers can verify artifact integrity before deployment
—Reproducible Builds: Infrastructure as Code and automated build pipelines ensure consistent, auditable artifact production with no manual intervention in the release chain
—Dependency Pinning: All dependencies are pinned to verified versions. Transitive dependency updates go through the same CVE scanning and review process as direct dependencies
—Third Party Vendor Assessment: All third party tools and services used in development and build pipelines are assessed for security posture before adoption

04Application Security

ONEPROOF implements comprehensive application security measures in all Software:

—Static Analysis (SAST): Static Application Security Testing is integrated into the CI pipeline for every SDK and library release
—Dynamic Analysis (DAST): Dynamic testing is performed on server side components prior to release
—Mobile App Security: Certificate pinning, anti-tampering measures, and secure storage implementation in all mobile SDK components
—Cryptographic Implementation: All cryptographic operations use ISO 18013-5 and ISO 18013-7 specified algorithms (COSE, CBOR). No proprietary or deprecated cryptographic methods

05Cryptographic Security

Security is enforced at the protocol level through strict standard implementation:

—COSE Signing at Issuance: Credentials are cryptographically signed at issuance using COSE (CBOR Object Signing and Encryption). Any tampering invalidates the signature
—No PII in Transit: Verification confirms the cryptographic signature against the issuing authority’s public key. No raw PII is transmitted to ONEPROOF during verification ; the credential holder’s data stays between the holder and the verifier
—Selective Disclosure: Field level disclosure is enforced at the ISO protocol layer, not by application logic. Verifiers receive only the fields explicitly requested and consented to
—Key Management: Hardware Security Modules (HSMs) and automated key rotation policies for issuance infrastructure

06Identity and Access Management

ONEPROOF enforces strict access controls across internal systems:

—Multi-Factor Authentication (MFA): Required for all employee accounts accessing internal systems, build pipelines, and code repositories
—Role-Based Access Control (RBAC): Granular permissions based on job function and the principle of least privilege
—Privileged Access Management: Just-in-time access and automated privilege revocation for sensitive systems
—Access Reviews: Regular access certification and automated deprovisioning for departing employees

07Vulnerability Management

Proactive identification and remediation of security vulnerabilities across all published Software:

—Continuous CVE Scanning: All SDKs, libraries, container images, and dependencies are scanned against CVE databases continuously, not just at release time
—Patch Prioritization: Critical and high severity CVEs are remediated and released on an emergency basis. Medium and low severity follow the standard release cycle
—Responsible Disclosure: Security researchers and customers can report vulnerabilities to security@oneproof.com. We acknowledge reports within 2 business days and communicate remediation timelines
—Customer Notification: Enterprise customers are notified directly when a security patch affects their licensed Software, with clear remediation steps and updated artifact versions

08Incident Response

ONEPROOF maintains documented incident response procedures:

—Incident Response Plan: Documented procedures for incident classification, escalation, and resolution covering Software vulnerabilities and supply chain events
—Dedicated Response Team: Named individuals with defined roles and responsibilities for security incident handling
—Customer Communication: Enterprise customers are notified of security incidents that affect their licensed Software within a defined SLA. Notification includes impact assessment and remediation guidance
—Post-Incident Review: All security incidents result in a documented root cause analysis and process improvement actions

09Employee Security

Human factors are critical to our security posture:

—Background Checks: Comprehensive background screening for all employees with access to production systems, code repositories, and customer data
—Security Training: Mandatory security awareness training and role-specific security education for all engineering and operations staff
—Confidentiality Agreements: All employees sign NDAs and security acknowledgment agreements covering customer data and source code

10Privacy by Design

Privacy guarantees are enforced at the ISO protocol level, not by application policy:

—Zero On Device Logging: No credential content is written to device logs or storage during verification. The ISO 18013-5 protocol is designed to leave no data residue on the verifier device
—Selective Disclosure Enforced by Standard: The ISO 18013-5 and ISO 18013-7 protocols enforce field level selective disclosure. Verifiers receive only what was explicitly requested and the credential holder consented to
—No ONEPROOF Data Collection During Verification: ONEPROOF does not receive, store, or have access to credential data exchanged between holders and verifiers. The Software operates entirely within the customer’s deployment boundary
—Customer Deployment Controls Privacy: Because ONEPROOF Software is deployed and operated by the customer, the customer controls all data retention, logging, and privacy policies within their environment. ONEPROOF provides technical guidance for GDPR and CCPA aligned deployments on request

How to Contact Us

Security-related questions, vulnerability reports, or incident notifications should be directed to:

Security Team: security@oneproof.com
Privacy Inquiries: privacy@oneproof.com

Updates to This Document

ONEPROOF regularly updates our security practices and this document as our Software evolves. Enterprise customers are notified of material changes to security practices that affect their licensed Software.