Signex security is architecture, not a promise
The private key never leaves the browser. The server receives public certificate fields only. Infrastructure is hosted in Kazakhstan.
Private key is never sent to the server
Only public certificate fields are stored server-side
Signex infrastructure is hosted in Kazakhstan
Data inventory
| What | Where | How long | Who has access |
|---|---|---|---|
| Identity DB | Until account deletion | Account owner and system admins | |
| Passphrase hash | Identity DB | Until account deletion | Plain passphrases are never visible |
| IIN | Certificate rows | Until certificate or account deletion | Account owner; masked in logs |
| Full name and certificate fields | Certificate rows | Until certificate or account deletion | Account owner |
| Audit log | Audit DB | Anonymized after user deletion | System admins for investigations |
| CSP reports | Application logs | Short term | Operations team |
v1 threat model
We defend against opportunistic scanners, credential stuffing, account enumeration, CSRF, bot bursts, and accidental IIN or token leakage in logs.
v1 does not model state actors, motivated insiders with production DB access, full DDoS, or cryptographic proof that a linked certificate belongs to the user.
Accepted risks
- • style-src 'unsafe-inline' remains for Tailwind CSS variables.
- • A malicious actor who knows an email can temporarily lock that user.
- • Thumbprints and IINs are not globally unique across users.
- • NCA RK chain validation is not performed server-side.
- • Certificate link is not proof-of-possession.
- • CSP reporting is anonymous, with caps and filtering.
Kazakhstan personal data law citation will be added after legal review.
Report a vulnerability