Trustaige · Trust center
Identity platforms get audited for a living. Trustaige is built so the audit is a short conversation: no shared secrets, no passwords ever stored, hardware-bound credentials, immutable event log, per-tenant encryption. The pages below cover the architecture decisions that make those claims structural — not aspirational.
Architecture
These aren’t security features bolted on. They’re the consequences of architectural choices made at the foundation. They cannot be turned off, mis-configured, or quietly downgraded by an attacker who breaches one layer of the stack.
Traditional authentication stores passwords or tokens on the server — creating a target. Trustaige stores only public keys. Private keys live exclusively in the user’s device hardware (TPM, Secure Enclave, hardware key) and never reach our servers. A full server breach exposes public keys, which cannot authenticate anything.
Credentials are bound to the origin (domain) where they were created. A passkey created for your tenant will never respond to a challenge from a look-alike domain — the browser enforces this at the protocol level. There is no user judgment in the loop and no awareness training to depend on.
Biometric verification happens locally to unlock the user’s private credential. Fingerprints, face templates, voice prints — none of it reaches Trustaige servers. The platform that doesn’t hold biometric data can’t lose it. This is also a deliberate position on procurement: customers don’t inherit a biometric-database compliance obligation by deploying us.
Each organization’s secrets are encrypted with a unique key derived for that tenant. A breach affecting one tenant’s key material cannot decrypt another tenant’s data. Every secret is checksummed before encryption and verified on decryption — tampering at rest is caught on read, before the data reaches an application.
Standards we conform to
Every layer of Trustaige speaks an open standard maintained by an independent body. If you ever decide to leave, the same standards work in your new home.
FIDO2 / WebAuthn
W3C & FIDO Alliance
Passwordless authentication; hardware-bound credentials.
OpenID Connect
OpenID Foundation
Modern OAuth-based single sign-on for web and mobile apps.
SAML 2.0
OASIS Standard
Enterprise SSO for the apps your customers already federate with.
SCIM 2.0
IETF RFC 7643 / 7644
Inbound directory sync and outbound provisioning.
OAuth 2.0 + PKCE
IETF RFC 6749 / 7636
Authorization code flow with proof-key for code exchange.
OAuth 2.0 Device Authorization
IETF RFC 8628
Device flow for CLIs and input-constrained apps.
CEF, LEEF, OCSF v1.3
ArcSight · IBM QRadar · OCSF Project
Audit export formats — the same shapes your SOC and auditor already read.
Compliance roadmap
Some of the frameworks below are achieved; others are aligned, mapped, or planned. We mark each one clearly so a security buyer can take a fair read in five seconds.
Trustaige operates as a registered data controller under the NDPA. We maintain a documented Data Protection Officer and process personal data under documented legal bases. Cookie consent satisfies GAID 2025.
We process personal data under principles consistent with the EU GDPR — data minimisation, purpose limitation, right of access, right to erasure. Customers can request a data-processing addendum.
Trust Services Criteria audit planned. The control environment, monitoring, and access reviews described elsewhere on this site are the controls being readied for certification. Reports will be made available to customers under NDA once issued.
Our control mappings to the AC, AU, and IA families cover the bulk of access-related controls. We support authenticator assurance levels AAL1 through AAL3.
Coordinated disclosure
If you’ve identified a security issue in Trustaige, we want to hear about it. We acknowledge reports within one business day, give you a public credit when the issue is fixed, and don’t take legal action against good-faith research.
security@trustaige.comOur policy
Start a conversation
We'll walk through a working deployment, map it to your stack, and tell you honestly where Trustaige fits — and where it doesn't.