Security Policy

Our approach to securing biometric data, defending against adversarial attacks, and handling vulnerability reports.

1. Security Architecture

🧬

Client-side Processing

All biometric extraction runs in-browser via WASM — raw signals never leave the device

🔒

Transport Security

TLS 1.3 enforced. HSTS with preload. All API routes are HTTPS-only

🛡️

Content Security Policy

Strict CSP headers on all routes — blocks XSS, clickjacking, and content injection

🔑

API Authentication

Enterprise API keys use 48-byte cryptographic random tokens with per-key permission scopes

🗄️

Database Security

Supabase with Row-Level Security (RLS) enabled on all tables. Service role key server-side only

⏱️

Data Minimisation

Enrollment profiles expire after 90 days and are hard-deleted. No raw biometric storage

2. Anti-Adversarial Hardening

Deep-Check's biometric engine includes four layers of adversarial hardening:

Layer	Technique	Threat Mitigated
Algorithm obfuscation	Feature names and thresholds are hashed / indirected in production builds	Reverse engineering detection thresholds to craft bypass inputs
Timing noise injection	Randomised ±0–3ms jitter added to event processing timestamps	Timing side-channel attacks that probe threshold boundaries
Replay protection	Session IDs include timestamp; replayed biometric streams are rejected via temporal consistency checks	Replay attacks using pre-recorded genuine session data
Hash integrity	Session payloads are SHA-256 hashed client-side; server verifies hash on receipt	Man-in-the-middle tampering with biometric scores in transit

3. Penetration Testing & Audits

Deep-Check has not yet undergone a formal third-party penetration test. This is on our roadmap for Q3 2026 prior to enterprise deployment in regulated sectors.

Internal security reviews are conducted:

On every major feature release
After any dependency update flagged by automated vulnerability scanning (GitHub Dependabot)
In response to any reported vulnerability

4. Responsible Disclosure Policy

We welcome responsible security research.
If you discover a vulnerability in Deep-Check, please report it privately before public disclosure. We commit to acknowledging receipt within 48 hours and providing a remediation timeline within 7 business days.

How to report:

Email: security@deep-check.io
PGP key: available on request
Standard: /.well-known/security.txt

Scope (in-scope for reports):

Authentication bypass or privilege escalation
Biometric data exfiltration or exposure
Injection vulnerabilities (SQLi, XSS, etc.)
Algorithm bypass that reliably defeats biometric detection
Sensitive data exposure in API responses

Out of scope:

Social engineering attacks against Deep-Check staff
Denial of service attacks
Issues in third-party dependencies already tracked by their maintainers

We do not currently offer a paid bug bounty programme but will publicly acknowledge researchers who report valid, responsibly disclosed vulnerabilities (with their consent).

5. Acknowledgments

No vulnerabilities have been publicly disclosed to date. This section will list researchers who have responsibly disclosed security issues once our programme is active.

6. Compliance Roadmap

Certification	Status	Target
GDPR / RGPD	🟡 In progress — DPIA pending	Q2 2026
EU AI Act (High-Risk)	🟡 Architecture review complete — documentation in progress	Q3 2026
ISO 27001	⚪ Planned	Q1 2027
ENS (Esquema Nacional de Seguridad)	⚪ Planned — required for Spanish public sector	Q2 2027
Independent algorithm audit	⚪ Planned — partner selection in progress	Q3 2026