Provii Transparency Report

Maelstrom AI's commitment to transparency in age verification

Public

Provii Transparency Report

Our Commitment to Transparency

Transparency is a core value for Maelstrom AI. While most age verification companies treat their security practices as trade secrets, we believe that privacy and security are strengthened by openness, not obscured by secrecy.

Why Transparency Matters for Age Verification

Traditional age verification systems ask users to trust privacy policies and corporate promises. The Provii platform offers something better: independently verifiable privacy properties through:

  • Open source code - Anyone can audit our cryptographic implementation
  • Public ISMS - Complete security documentation available for review
  • Published architecture - Data flows and privacy protections fully documented
  • Zero knowledge proofs - Mathematical design that makes PII collection architecturally unnecessary

Bottom Line: We don’t ask you to trust our privacy promises. We enable you to verify them.

What We Make Public

1. Open Source Code

Status: ✅ Fully open source

Repositories:

  • provii-crypto. Cryptographic primitives (Groth16 ZK-SNARKs, Pedersen commitments, RedJubjub signatures)
  • provii-agegate. Browser SDK for website integration
  • agegate-rust. Core verification and issuance services
  • Provii mobile wallet (client) repository under the MaelstromAI GitHub enterprise. Reference mobile wallet implementation
  • Demo applications. Complete end-to-end examples

Why: Open source enables independent security review and builds trust through transparency. The Provii zero knowledge architecture has no trade secrets that need protection through obscurity.

Where: GitHub (public repositories)

License: Apache 2.0 / MIT (permissive open source)

2. Information Security Management System (ISMS)

Status: ✅ Publicly published

Location: maelstrom.au/trust (GitHub: docs/iso27001-isms branch)

Coverage:

  • All ISO 27001:2022 policies (93 Annex A controls, 95%+ implemented)
  • Complete risk register with documented mitigations
  • Statement of Applicability showing control implementation status
  • Security controls mapped to ISO 27001, ISO 27701, NIST 800-63
  • Privacy controls aligned with GDPR, CCPA, Privacy by Design

Why: Publishing our ISMS demonstrates that we practise what we preach. Other companies claim to have security policies. We show ours.

Unique Achievement: Most companies treat ISMS as confidential. Maelstrom AI publishes everything because the Provii zero knowledge architecture has nothing to hide.

3. Architecture Documentation

Status: ✅ Publicly published

What:

  • System Architecture. Component interactions, service boundaries, trust model
  • Data Flows. Complete documentation of what data goes where (and what doesn’t)
  • Trust Model. Which parties learn what information (spoiler: very little)
  • Cryptographic Specifications. Groth16 circuits, commitment schemes, signature algorithms
  • Privacy Guarantees. Cryptographic design documentation of what the system is designed not to reveal

Why: Users should understand how their data is (or isn’t) processed. Transparency enables informed consent.

Notable: Zero knowledge proof circuits are fully documented, showing exactly what is proven (age >= threshold) and what remains private (actual date of birth).

4. Compliance Documentation

Status: ✅ Publicly published

What We Publish:

  • ISO 27001 Alignment. 95%+ implementation of all 93 controls
  • ISO 27701 Mapping. Privacy extension controls for PII management
  • Privacy by Design Assessment. Evaluation against all 7 foundational principles (5/7 EXEMPLARY, 7/7 IMPLEMENTED)
  • GDPR Alignment Statement. Article-by-article alignment with EU privacy regulation (self-assessed)
  • CCPA Alignment Statement. California privacy rights implementation (self-assessed)
  • NIST 800-63 Alignment. Digital identity assurance levels (IAL2-IAL3, AAL2-AAL3, FAL2-FAL3)
  • Unified Control Matrix. Single source mapping requirements across all standards
  • Evidence Repository. proof of control implementation

Why: We don’t just claim compliance. We demonstrate it with verifiable evidence.

Maelstrom AI publishes complete compliance documentation alongside ISMS policies and architecture details.

What We Collect (and Don’t Collect)

Data We Collect

Data TypePurposeRetentionLegal Basis
IP Address (hashed with SHA-256)Anti-abuse, rate limiting, operational diagnostics90 days (auto-deleted); critical security event logs are retained for up to 365 daysLegitimate interest (fraud prevention)
Challenge IDs (random UUIDs)Verification session management5 minutes (auto-expire)Necessary for service delivery
Credential Nullifiers (one-way hashes)Replay prevention (stop credential reuse)Checked against ban list onlyNecessary for service security
TimestampsOperational logging, retention enforcementTied to data retention periodsNecessary for service delivery

Total Categories of Personal Information: 1 out of 11 CCPA categories (Internet/Network Activity)

Reference: Data Retention Policy (/trust/security/data-retention.mdx)

Data We Do NOT Collect

The following data is architecturally designed not to be collected by Maelstrom AI-operated services:

NOT COLLECTED (By Zero-Knowledge Design):

Personal Identifiers:
❌ Names (first, middle, last)
❌ Email addresses
❌ Phone numbers
❌ Physical addresses (home, work, mailing)
❌ Usernames or account identifiers

Age/Identity Data:
❌ Dates of birth (processed ephemerally server-side during issuance: Pedersen commitment computed, raw DOB discarded immediately, never persisted; not collected during verification)
❌ Exact age (only binary threshold proven: over/under)
❌ Government-issued ID numbers (driver's license, passport, SSN)
❌ Identity document scans or photos

Biometric Information:
❌ Facial recognition data
❌ Fingerprints
❌ Voice prints
❌ Retinal scans
❌ Any biometric identifiers

Financial Information:
❌ Credit card numbers
❌ Bank account details
❌ Financial transaction history

Location Information:
❌ Precise geolocation (GPS coordinates)
❌ Home/work addresses
❌ Location history

Online Activity:
❌ Browsing history
❌ Search queries
❌ Cross-site tracking identifiers
❌ Persistent user IDs
❌ Advertising cookies

Other Sensitive Data:
❌ Health information
❌ Sexual orientation
❌ Racial or ethnic origin
❌ Religious beliefs
❌ Political affiliations
❌ Union membership

Why We Don’t Collect: Zero knowledge architecture is designed to make PII collection unnecessary. The Pedersen commitment to date of birth is computed server-side during issuance; the raw DOB is discarded immediately and never persisted. During verification, no PII is transmitted or collected.

Evidence:

  • Privacy Architecture Evidence (/trust/compliance/evidence/privacy-controls/privacy-architecture-evidence.md, Lines 37-95)
  • Information Security Policy: “Zero knowledge First” principle

Security Practices

Cryptographic Security

Algorithms in Production:

  • Groth16 ZK-SNARKs. Zero knowledge proof system (BLS12-381 curve)
  • Pedersen Commitments. Cryptographically hiding commitments to date of birth
  • RedJubjub Signatures. Issuer credential signatures (Jubjub elliptic curve)
  • SHA-256 + Blake2s-256 Hashing. SHA-256 for RP challenge binding; Blake2s-256 for RP hash (circuit input) and nullifier
  • SHA-256. PKCE code challenge (S256) and IP address pseudonymisation

Security Status: Production-ready implementation, pending formal third-party audit

Audit Plans:

  • Cryptographic Audit. Will pursue when commercially viable (specialised zero knowledge proof auditing firm)
  • Penetration Testing. Q2 2026 (infrastructure and API security)
  • Annual Security Audits. Ongoing commitment post-launch

Cryptographic Evidence: implementation documentation available at /trust/compliance/evidence/cryptography/crypto-implementation-evidence.md

Infrastructure Security

Provider: Cloudflare

  • Certifications. SOC 2 Type II, ISO 27001, ISO 27701 (supplier-held, via Cloudflare)
  • Architecture. Serverless edge computing (Cloudflare Workers)
  • Availability. 99.99% SLA (Cloudflare’s own infrastructure SLA; Maelstrom AI does not offer a contractual SLA at this tier)
  • DDoS Protection. Enterprise-grade, automatic mitigation
  • Geographic Distribution. Global edge network (300+ cities)

Security Controls:

  • Encrypted data at rest and in transit (TLS 1.3)
  • Automatic TLS certificate management
  • Web Application Firewall (WAF)
  • Rate limiting and bot protection
  • Zero-trust network architecture

Evidence: Infrastructure Evidence (/trust/compliance/evidence/infrastructure/infrastructure-evidence.md)

Development Security

Secure Development Practices:

  1. Multi-Layered Security Scanning:
  • SAST (Static Application Security Testing): Semgrep, CodeQL
  • SCA (Software Composition Analysis): Dependabot, cargo-audit
  • Secrets Scanning. GitHub secret scanning, TruffleHog
  • Runtime Security. Cloudflare Workers sandboxed execution
  1. Supply Chain Security:
  • SLSA Level 3 alignment: Hermetic builds, provenance tracking
  • Dependency Management. Automated updates via Dependabot
  • Lock Files. Cargo.lock, package-lock.json for reproducible builds
  • Vulnerability Monitoring. Daily scans of all dependencies
  1. Code Review:
  • Mandatory Review. All changes require review (no self-merge)
  • Branch Protection. Main branch protected, CI must pass
  • Security Review. Cryptographic changes require specialised review
  • Audit Trail. All changes logged in Git history (public on GitHub)

Evidence: DevOps Evidence (/trust/compliance/evidence/development/devops-evidence.md)

Incident Reporting

Security Incident Disclosure

Policy: Public disclosure of security incidents affecting user privacy

2024-2025 Period:

  • Security Incidents. 0
  • Data Breaches. 0 (no PII to breach)
  • Privacy Violations. 0
  • Service Outages. 0 (pre-production phase)

Why Zero Breaches: Data that is not collected cannot be breached. The Provii zero knowledge architecture is designed to reduce the PII exposure that makes other age verification companies attractive targets.

Reporting: security@maelstrom.au

Disclosure Timeline:

  1. Immediate: Critical vulnerabilities affecting user safety
  2. 48 hours: High-severity security issues
  3. 30 days: Medium/low-severity issues (after patch deployed)

Vulnerability Disclosure

Program: Responsible disclosure policy via security@maelstrom.au

How to Report:

  • Email. security@maelstrom.au
  • PGP Key. Available on website (encrypted reporting for sensitive issues)
  • Anonymous. Tor-friendly disclosure accepted

Our Commitment:

  1. Acknowledgment: Within 48 hours of report
  2. Assessment: Severity rating and fix timeline within 5 business days
  3. Fix Timeline: Based on severity (critical: 7 days, high: 14 days, medium: 30 days)
  4. Public Disclosure: After fix deployed and users protected
  5. Credit: Public acknowledgment of reporter (if desired)

Vulnerabilities Reported (2024-2025):

  • Pre-production phase: No public vulnerability reports received
  • Internal testing: Issues identified and resolved before launch

Vulnerability Reporting:

  • Method. Email security@maelstrom.au
  • Response. Within 48 hours acknowledgment
  • Scope. All Provii services and applications

Compliance Certifications

Current Status

Standard/FrameworkStatusImplementationTimeline
ISO 27001:2022🔄 In Progress95%+ controls implementedCertification: When commercially justified
ISO 27701:2019🔄 In ProgressPrivacy controls documentedPost-27001 (when commercially justified)
Privacy by Design✅ Assessment Complete5/7 EXEMPLARY, 7/7 IMPLEMENTEDCompleted 2025-11-08
GDPR Alignment✅ CompleteAlignment documented (self-assessed)Self-assessment complete
CCPA Alignment✅ CompleteStrong compliance positionSelf-assessment complete
NIST 800-63✅ CompleteIAL2-3, AAL2-3, FAL2-3 alignmentSelf-assessment complete
SOC 2 Type I🔄 DeferredMay pursue alongside or after ISO 27001Planned for 2027 subject to customer demand
SOC 2 Type II🔄 DeferredTarget for post-revenue growth phaseWhen commercially justified

Legend:

  • ✅ Complete: Documented and verified
  • 🔄 In Progress: Active work underway
  • 📋 Planned: Scheduled for future

Audit Schedule

ISMS Documentation Development:

  • Q1 2025: ISMS documentation completed (ISO 27001:2022, ISO 27701:2019)

Internal Audits:

  • Internal Audit #1: February 2026 (Batch A: ISMS foundation, access control, cryptography)
  • Internal Audit #2: February 2026 (Batch B: Privacy controls, data lifecycle, incident response)
  • Management Review #1: 15 February 2026
  • Future: Quarterly internal audits planned

External Audits: Planned when commercially justified

  • Cryptographic security audit. Zero knowledge proof implementation (when commercially viable)
  • Penetration testing. Infrastructure and API security
  • ISO 27001 certification audit. When commercially justified
  • ISO 27701 certification audit. Post-27001, when commercially justified
  • Annual surveillance audits. Post-certification

Audit Readiness: 95%+ - ISMS documentation complete, evidence collection

Data Subject Rights

How to Exercise Your Rights

Contact: privacy@maelstrom.au

Response Time: 30 days (may extend to 90 days with notification)

Verification: Email verification or cryptographic challenge-response

Rights Available

1. Right to Access

What: Request what data we hold about you

Our Response: “We hold minimal data about you:”

  • IP address (hashed, if within 90-day retention window)
  • Verification timestamps (if recent)
  • No PII. We do not have your name, date of birth, or identity information

How to Exercise: Email privacy@maelstrom.au with your IP address and approximate verification date

2. Right to Deletion

What: Request deletion of your data

Our Response:

  • Automatic Deletion. IP logs auto-deleted after 90 days
  • Expedited Deletion. We can delete your IP logs immediately upon request
  • Wallet Data. Credentials stored locally on your device. Delete the wallet app to erase

How to Exercise: Email privacy@maelstrom.au with deletion request

3. Right to Correction

What: Request correction of inaccurate data

Our Response:

  • IP Addresses. Automatically collected (no inaccuracy possible)
  • Date of Birth. Stored in your wallet (update locally, request new credential)
  • No PII on Servers. Nothing to correct server-side

How to Exercise: Typically not applicable (minimal server-side data)

4. Right to Portability

What: Export your data in machine-readable format

Our Response:

  • Wallet Data. Export credentials from wallet (JSON format)
  • Server Data. Minimal (IP logs, timestamps) - can provide in JSON/CSV
  • Note. Most data never leaves your device

How to Exercise: Email privacy@maelstrom.au or use wallet export feature

5. Right to Object

What: Object to processing of your data

Our Response:

  • IP Logging. Necessary for anti-abuse (legitimate interest)
  • You can object. We will assess if processing can stop without compromising service security
  • Alternative. Stop using Provii services (no further data processing)

How to Exercise: Email privacy@maelstrom.au with objection details

2024-2025 Period

Data Subject Access Requests:

  • Access requests: 0 (pre-production phase)
  • Deletion requests: 0
  • Correction requests: 0
  • Portability requests: 0
  • Objection requests: 0

Average Response Time: N/A (no requests received)

Note: Pre-production phase with limited user base. Metrics will be reported post-launch.

Third-Party Disclosures

Service Providers

ProviderPurposeData SharedProtections
CloudflareInfrastructure, CDN, DDoS protectionIP addresses (hashed), zero knowledge proofs (not PII)SOC 2 Type II, ISO 27001 (supplier-held, via Cloudflare), Data Processing Agreement (DPA)
GitHubDevelopment, source code hosting, CI/CDSource code (public - open source), build logs (no PII)N/A (public data, no PII)

Contractual Protections:

  • Data Processing Agreements (DPA). In place with Cloudflare
  • Standard Contractual Clauses (SCC). For international data transfers
  • GDPR Compliance. All processors meet EU privacy requirements
  • Audit Rights. Ability to audit subprocessor compliance

Evidence: Vendor Evidence (/trust/compliance/evidence/vendors/third-party-evidence.md)

We Do NOT Share Data With

The following third parties receive no data from Maelstrom AI:

NO DATA SHARED WITH:
❌ Advertisers (no advertising integrations)
❌ Data brokers (no data monetisation)
❌ Marketing companies (no marketing analytics)
❌ Third-party analytics (operational telemetry only, via Cloudflare Workers Logs shipped to Grafana Loki - aggregated, privacy-preserving)
❌ Social media platforms (no tracking pixels)
❌ Affiliate networks (no performance tracking of users)
❌ Credit bureaus (no identity verification partnerships)
❌ Background check services (no identity proofing)

Business Model: Websites pay per verification, issuers receive royalties. No data monetisation required.

Cross-Border Data Transfers

Data Storage Locations:

  • Cloudflare Global Network. Data processed at edge locations worldwide
  • Primary Regions. EU, US, Asia-Pacific (auto-routed to nearest edge)
  • Data Residency. Configurable per deployment (EU-only option available)

Legal Mechanisms:

  • Standard Contractual Clauses (SCC). EU Commission-approved clauses for international transfers
  • GDPR Article 49. Necessary for service delivery
  • Minimal Risk. No PII transferred (only IP addresses and cryptographic proofs)

Evidence: Privacy Architecture Evidence (Cross-Border Transfer section)

Law Enforcement Requests

2024-2025 Period

Requests Received: 0

Data Provided: 0

Reasons:

  • Pre-production phase (limited user base)
  • No PII stored (nothing meaningful to provide)
  • Age verification data not typically subject to legal requests

Our Policy

Legal Process Required:

  • Valid court order, subpoena, or warrant
  • Jurisdiction verification
  • Narrow scope (specific users, time periods)
  • Legal review before compliance

What We Can Provide:

  • IP addresses (if within 90-day retention window)
  • Verification timestamps
  • Challenge records (if recent)
  • Cannot Provide. Names, addresses, dates of birth (not collected)

User Notification:

  • Notify affected users when legally permitted
  • Sealed court orders: Notify after seal lifted
  • National security letters: Transparency to extent allowed by law

Transparency Commitment:

  • Publish aggregate statistics annually
  • Disclose types of requests (civil, criminal, national security)
  • Report number of users affected

Principles

  1. Minimise Disclosure: Provide only what is legally required
  2. Challenge Overbroad Requests: Push back on fishing expeditions
  3. User Rights First: Protect user privacy to fullest extent of law
  4. Transparency: Disclose requests unless legally prohibited

Changes to Privacy Practices

2024-2025 Period

Material Changes: None

Minor Updates:

  • Privacy by Design assessment completed (2025-11-08)
  • CCPA compliance statement finalised (2025-11-08)
  • NIST 800-63 alignment documented (2025-11-08)
  • Transparency report published (2025-11-08)

Change Management Policy

Material Changes (require user notification):

  • New categories of PII collected
  • Changes to data retention periods (beyond 90 days)
  • New third-party data sharing arrangements
  • Changes to cryptographic protocols affecting privacy

Notification Process:

  1. 30-day advance notice before implementation
  2. Email notification to users (if email addresses collected - currently N/A)
  3. Prominent website notice on privacy policy page
  4. Changelog published in transparency report

User Rights:

  • Opt-out. Users can delete wallets and stop using service before changes take effect
  • Continued Use. Constitutes acceptance of updated practices
  • Grandfathering. Existing credentials not retroactively affected

Immaterial Changes (no notification required):

  • Clarifications to privacy policy language
  • Organisational changes (address, contact info)
  • Enhanced privacy protections
  • Bug fixes

Change Log

DateChangeTypeUser Impact
2025-11-08Transparency report publishedEnhancementIncreased transparency
2025-11-08Privacy by Design assessment completeEnhancementDemonstrated privacy excellence
2024-12-15ISMS documentation publishedEnhancementPublic security documentation
2024-10-01Initial privacy policy publishedNewEstablished baseline privacy practices

Independent Verification

How to Verify Our Claims

Maelstrom AI’s transparency enables independent verification of all privacy and security claims:

1. Review Source Code (GitHub)

What to Check:

  • Cryptographic implementation (zero knowledge proofs)
  • Data flows (confirm no PII transmission)
  • Logging practices (IP hashing, data minimisation)
  • API endpoints (verify what data is collected)

Where: GitHub repositories (public)

Tools:

  • Static Analysis. Semgrep, CodeQL (same tools we use)
  • Manual Review. Read the code directly
  • Security Researchers. Engage experts to audit

2. Review ISMS Documentation

What to Check:

  • Security policies (alignment with best practices)
  • Risk register (identified threats and mitigations)
  • Control implementation (evidence of security controls)
  • Compliance documentation (GDPR, CCPA, ISO 27001)

Where: /trust/ (GitHub branch: docs/iso27001-isms)

Published At: maelstrom.au/trust

3. Cryptographic Verification

What to Check:

  • Zero knowledge proof circuits (confirm privacy properties)
  • Cryptographic protocols (verify soundness)
  • Key management (validate secure practices)

Audit: Will pursue third-party cryptographic audit when commercially viable

Current Status: Production-ready implementation, documentation available

4. Infrastructure Verification

What to Check:

  • Cloudflare Certifications. SOC 2, ISO 27001 publicly available
  • Network Inspection. Use browser dev tools to see what data is transmitted
  • TLS Verification. Confirm encrypted connections (TLS 1.3)

Evidence: Published Cloudflare compliance reports

Community Security Reviews

Encouraged Activities:

  • Code Audits. Review cryptographic implementation
  • Privacy Analysis. Verify zero knowledge claims
  • Security Testing. Test for vulnerabilities (responsibly disclosed)
  • Documentation Review. Check for inconsistencies or gaps

How to Contribute:

  • GitHub Issues. Report findings publicly (for non-sensitive issues)
  • Security Email. security@maelstrom.au (for vulnerabilities)
  • Pull Requests. Suggest improvements to documentation or code

Recognition:

  • Public acknowledgment in security advisories (if desired)
  • Acknowledgment in security advisories
  • Listed in transparency report contributors section

Vulnerability Disclosure Programme

Responsible Disclosure

Maelstrom AI operates a responsible disclosure programme. Security researchers are encouraged to report vulnerabilities via security@maelstrom.au.

Safe Harbour: Researchers who comply with responsible disclosure practices are protected from legal action for good faith security research. We will not pursue legal action against researchers who responsibly disclose vulnerabilities.

Contact Information

General Inquiries

Email: hello@provii.app Website: provii.app Documentation: docs.provii.app

Security Issues

Email: security@maelstrom.au PGP Key: Available on website for encrypted communication Response Time: 48 hours acknowledgment

Privacy Requests

Email: privacy@maelstrom.au Data Subject Rights: Access, deletion, correction, portability Response Time: 30 days (may extend to 90 days with notice)

Data Protection Officer (DPO)

Status: To be appointed (required when GDPR processing reaches threshold) Current: Privacy Officer handles privacy matters Contact: privacy@maelstrom.au

Compliance Questions

Email: compliance@provii.app Topics: Certifications, audit requests, regulatory questions

Future Transparency Initiatives

Planned Enhancements

1. Real-Time Transparency Dashboard

Timeline: Q2 2026

Metrics to Display:

  • Verifications performed (aggregated, no user data)
  • Service uptime and availability
  • Average response times
  • Security incidents (if any)
  • Law enforcement requests (aggregated)
  • Data subject access requests received/resolved

Why: Proactive transparency builds trust

2. Quarterly Transparency Reports

Timeline: Ongoing (starting Q1 2026)

Content:

  • Security metrics (incidents, vulnerabilities)
  • Privacy metrics (requests, complaints)
  • Service metrics (uptime, performance)
  • Compliance updates (certifications, audits)
  • Legal requests (aggregated statistics)

Format: Published blog posts + machine-readable JSON

3. Public Audit Reports

Timeline: As audits completed (starting Q2 2026)

What We’ll Publish:

  • Penetration test executive summaries
  • Certification status updates

Why: Third-party validation of our security claims

4. Community Security Reviews

Timeline: Q2 2026 (post-launch)

Initiatives:

  • Responsible disclosure. security@maelstrom.au
  • Community audits. Facilitate independent security reviews
  • Documentation contributions. Welcome improvements via GitHub

Why: Many eyes make security and privacy stronger

5. Privacy-Preserving Analytics

Timeline: Q2 2026

Commitment:

  • No user-level tracking or analytics
  • Only aggregate, anonymised metrics
  • Cloudflare Workers Logs (shipped to Grafana Loki, privacy-preserving)
  • No third-party analytics providers

Published Metrics:

  • Total verifications performed
  • Geographic distribution (country-level only)
  • Issuer adoption metrics
  • Verifier integration statistics

Conclusion

Transparency as a Core Principle

Most age verification companies treat transparency as a risk. Maelstrom AI treats it as a foundational commitment:

Traditional Approach:

  • “Trust us” - Closed source, confidential security practices
  • Privacy policies full of legalese and caveats
  • Security through obscurity
  • Compliance as checkbox exercise

Our Approach:

  • “Verify us” - Open source, public ISMS, documented architecture
  • Privacy properties backed by cryptographic design (zero knowledge proofs)
  • Security through transparency and peer review
  • Compliance as demonstration of values

What Sets Us Apart

  1. Open Source Everything: Code, documentation, compliance materials, all public
  2. Zero knowledge Architecture: Privacy is enforced by cryptographic design, not policy alone
  3. Radical Transparency: Security practices openly documented and reviewable
  4. Independent Verification: Anyone can audit our claims
  5. Community Engagement: Bug bounties, security reviews, public discussions

Our Invitation

We invite security researchers, privacy advocates, and users to:

  • Review our code on GitHub
  • Audit our architecture using published documentation
  • Test our claims through independent verification
  • Report vulnerabilities through responsible disclosure
  • Hold us accountable to our transparency commitments

Vision

Maelstrom AI aims to set a new standard for transparency in age verification, demonstrating that privacy, security, and openness are complementary, not competing objectives.

Goal: Establish the Provii platform as a transparent, independently verifiable age verification system.

Appendix: Transparency Metrics

2024-2025 Transparency Scorecard

MetricStatusDetails
Open Source Code✅ YesAll core repositories public on GitHub
Public ISMS✅ Yes9,500+ lines of security documentation published
Published Architecture✅ YesComplete system architecture, data flows, trust model
Compliance Documentation✅ YesGDPR, CCPA, ISO 27001, Privacy by Design, NIST 800-63
Privacy Policy Transparency✅ YesClear, publicly available
Security Incident Disclosure✅ Policy EstablishedPublic disclosure commitment (0 incidents to date)
Vulnerability Disclosure✅ Policy ActiveResponsible disclosure program operational
Third-Party Audits🔄 PlannedPenetration testing scheduled post-launch; crypto audit when commercially viable
Vulnerability Disclosure✅ ActiveResponsible disclosure via security@maelstrom.au
Transparency Reports✅ First Report PublishedQuarterly reports planned starting Q1 2026
Data Subject Requests✅ Process Documented30-day response commitment
Law Enforcement Transparency✅ Policy PublishedAggregate statistics, user notification commitment

Legend:

  • ✅ Achieved
  • 🔄 In Progress
  • 📋 Planned

What We Measure

Security Transparency:

  • Lines of public security documentation: 9,500+
  • Open source repositories: 11+
  • Security policies published: 15+
  • Compliance standards documented: 8+

Privacy Transparency:

  • Categories of PII collected: 1 (IP addresses only)
  • Data retention: IP addresses ~90 days; critical security events up to 365 days
  • Third-party data sharing: 2 service providers (Cloudflare, GitHub)
  • User tracking: 0 (no persistent identifiers)

Operational Transparency:

  • Security incidents: 0
  • Data breaches: 0 (no PII to breach)
  • Law enforcement requests: 0
  • Data subject access requests: 0 (pre-production)

Report Period: 2024-2025 (Pre-Production Phase) Next Report: January 2026 (covering first operational quarter) Questions: transparency@provii.app

Document Information

FieldValue
Version1.0
Published2025-11-08
AuthorMaelstrom AI
ClassificationPublic
Next UpdateQuarterly (starting Q1 2026)
Feedbacktransparency@provii.app

Revision History

VersionDateAuthorChanges
1.02025-11-08Maelstrom AIInitial transparency report