Skip to main content
UIP’s security model has two halves: proving a result is genuine (covered in Verification & trust) and protecting the data around it. This page covers the second.

In transit & at rest

TLS everywhere

All API calls and webhook deliveries are over HTTPS/TLS.

Encrypted responses

The wallet encrypts its response to a per-request key; only UIP’s server can decrypt it. The hosted page relays ciphertext it cannot read.

PII sealed at rest

Signer identity in the audit ledger is encrypted with envelope encryption (KMS-backed in production).

Signed webhooks

Every delivery is HMAC-SHA256 signed; verify it before trusting a payload (see Webhooks).

Anti-replay & binding

  • Per-step nonce + origin. The holder’s signature covers a fresh nonce and your origin, so a captured response can’t be replayed against another request.
  • First-open binding. The first browser to open a session is bound to it; no other device can submit a response for that session.
  • Idempotency. An Idempotency-Key on create makes retried creates safe; webhook X-UIP-Delivery-Id makes retried deliveries safe to dedupe.

Data minimization

UIP is designed to hold as little as possible:
  • Only what you request. identify discloses exactly the blocks you ask for.
  • age_verify reveals a boolean — never the birth date — to you; the underlying identity is sealed in the audit and flagged redacted.
  • Documents are ephemeral. sign file bytes are purged after the session ends; only the hash + signature persist.
  • No standing identity. There’s no UIP login the user maintains; each session is a fresh, consented disclosure from their wallet.

Your responsibilities

The hosted url is a capability URL — deliver it only to the intended user, and don’t open it server-side before handing it over (that would consume the binding).
Recompute the HMAC over the raw body and compare in constant time. Reject stale timestamps to bound replay windows. Dedupe on the delivery id.
Keep your API key and webhook secret server-side. Rotate the webhook secret from the dashboard if exposed. API keys are scoped to your business.

Compliance posture

  • Tamper-evident, append-only audit records with independent (RFC 3161) timestamps — designed to be presentable as evidence.
  • Data-minimizing by construction (selective disclosure, anonymous age checks).
  • Government-issuer–anchored verification, not document scraping.
Have a specific regulatory requirement (GDPR data-processing terms, retention, residency)? Contact us.