Security and compliance you can verify
UniAuth is built on verifiable security practices, open standards, and transparent data handling. Every claim on this page maps to a concrete implementation.
Regulatory compliance
We maintain compliance with major regulatory frameworks and undergo regular third-party audits.
SOC 2 Type II
CompliantAnnual audit covering security, availability, and confidentiality trust service criteria. Report available under NDA.
GDPR
CompliantFull data subject rights: export, deletion, portability. Data processing agreements available. EU data residency supported.
CCPA
CompliantCalifornia Consumer Privacy Act compliance with opt-out mechanisms, data inventory, and annual disclosure reporting.
Security standards and protocols
Built on NIST, IETF, and OASIS standards. No proprietary lock-in.
FIPS 203 (ML-KEM)
Post-quantum key encapsulation for key exchange and rotation
FIPS 204 (ML-DSA)
Post-quantum digital signatures on every user session
FIDO2 / WebAuthn
Passkey and hardware security key support with direct attestation
OAuth 2.0 / OIDC
Standards-compliant authorization server and OpenID provider
SAML 2.0
Full IdP with SSO, SLO, signed assertions, and metadata
SCIM 2.0
Automated user and group provisioning with bulk operations
How we handle your data
Data storage
All data is stored in PostgreSQL with TLS-encrypted connections. Database backups are encrypted with AES-256 and stored in geographically redundant locations. No data is stored in third-party analytics or tracking services.
Encryption
AES-256-GCM encryption at rest for all sensitive values: TOTP secrets, OAuth tokens, PQC private keys, LDAP passwords. TLS 1.3 for data in transit. Separate 256-bit encryption key independent of JWT signing secrets.
Data minimization
Pairwise subject identifiers prevent cross-app user correlation. Only data necessary for authentication is collected. No behavioral tracking, no advertising profiles, no data sales.
Retention and deletion
Configurable data retention policies. Default: sessions purged after 30 days, OTP tokens after 24 hours, activity logs after 1 year. Full account self-deletion with complete data purge available at any time.
Responsible disclosure
We take security vulnerabilities seriously. If you discover a security issue in UniAuth, please report it responsibly. We commit to acknowledging reports within 24 hours, providing an initial assessment within 72 hours, and keeping you informed of remediation progress.
Qualifying reports are eligible for our bug bounty program. Severity is assessed using CVSS 3.1 scoring. We do not pursue legal action against researchers who follow responsible disclosure guidelines.