UniAuth
Trust center

Security and compliance you can verify

UniAuth is built on verifiable security practices, open standards, and transparent data handling. Every claim on this page maps to a concrete implementation.

Compliance

Compliance status

Framework-by-framework status. Self-attested means we implement the technical controls; certified requires a linked third-party report.

GDPR

Self-attested

Data subject rights, DPA available, EU residency supported

CCPA

Self-attested

California opt-out, data inventory, DSR support

SOC 2 Type II

In progress

Controls implemented; third-party audit not yet completed

FIPS 203 (ML-KEM)

Self-attested

Post-quantum key encapsulation used for session keys

FIPS 204 (ML-DSA)

Self-attested

Post-quantum digital signatures on every session

FIDO2 / WebAuthn

Self-attested

Passkey and hardware key support with direct attestation

HIPAA

Not started

Not yet evaluated

ISO 27001

Not started

Not yet evaluated

About self-attestation: frameworks marked self-attested mean we implement the required technical controls in the codebase, but have not been audited by an independent third party. Don't rely on this page as proof of compliance in regulated procurement — ask us for the latest detail. When a third-party audit completes, this page will link the report and the status will change to certified.
Standards

Security standards and protocols

Built on NIST, IETF, and OASIS standards. No proprietary lock-in.

FIPS 203 (ML-KEM)

Post-quantum key encapsulation for key exchange and rotation

FIPS 204 (ML-DSA)

Post-quantum digital signatures on every user session

FIDO2 / WebAuthn

Passkey and hardware security key support with direct attestation

OAuth 2.0 / OIDC

Standards-compliant authorization server and OpenID provider

SAML 2.0

Full IdP with SSO, SLO, signed assertions, and metadata

SCIM 2.0

Automated user and group provisioning with bulk operations

Data handling

How we handle your data

Data storage

All data is stored in PostgreSQL with TLS-encrypted connections. Database backups are encrypted with AES-256 and stored in geographically redundant locations. No data is stored in third-party analytics or tracking services.

Encryption

AES-256-GCM encryption at rest for all sensitive values: TOTP secrets, OAuth tokens, PQC private keys, LDAP passwords. TLS 1.3 for data in transit. Separate 256-bit encryption key independent of JWT signing secrets.

Data minimization

Pairwise subject identifiers prevent cross-app user correlation. Only data necessary for authentication is collected. No behavioral tracking, no advertising profiles, no data sales.

Retention and deletion

Configurable data retention policies. Default: sessions purged after 30 days, OTP tokens after 24 hours, activity logs after 1 year. Full account self-deletion with complete data purge available at any time.

Responsible disclosure

We take security vulnerabilities seriously. If you discover a security issue in UniAuth, please report it responsibly. We commit to acknowledging reports within 24 hours, providing an initial assessment within 72 hours, and keeping you informed of remediation progress.

Qualifying reports are eligible for our bug bounty program. Severity is assessed using CVSS 3.1 scoring. We do not pursue legal action against researchers who follow responsible disclosure guidelines.

Have compliance questions?

Our security team is available to discuss architecture, share audit reports, or complete your vendor security questionnaire.