ISMS Scope Statement

Boundaries and applicability of the Information Security Management System

Purpose

This document defines the scope of Maelstrom AI’s Information Security Management System (ISMS) in accordance with ISO/IEC 27001:2022. It establishes clear boundaries for what is included and excluded from our security management practices.

Organisation

Legal Entity: Maelstrom AI Pty Ltd ATF Maelstrom AI Holding Trust Trading As: Provii Industry: Privacy-preserving identity verification technology Primary Service: Zero knowledge proof age verification platform

ISMS Scope

Service Scope

Our ISMS covers the end-to-end lifecycle of the Provii age verification platform:

Design & Development

Cryptographic protocol design, software architecture, security engineering, and implementation of zero knowledge proof systems

Deployment & Release

Build automation, artifact signing, supply chain security, and release management for all platform components

Operation & Maintenance

Service monitoring, incident response, infrastructure management, and ongoing security operations for production services

Support & Improvement

Customer support, bug fixes, security patches, and continuous improvement of security controls

Technical Scope

The ISMS covers these technical components:

ComponentDescriptionTechnology
provii-cryptoCryptographic primitives, ZKP circuits, proving/verification logic (13 crates)Rust workspace
provii-verifierCloudflare Worker for proof verification, challenge managementRust/WASM
provii-issuerCloudflare Worker for credential issuance, officer authenticationRust/WASM
provii-verifier (hosted mode)Hosted verification routes for simple website integrations (merged into provii-verifier)Rust/WASM
provii-mobile-sdkCross-platform mobile SDK (Rust core + UniFFI bindings, 5 crates)Rust/Swift/Kotlin
provii-mobileReference mobile wallet application (Provii mobile wallet client repository under the MaelstromAI GitHub enterprise)iOS/Android
shared-rate-limitShared rate limiting library (archived; replaced by per-service KV counters)Rust/TypeScript
provii-agegateBrowser SDK for relying partiesTypeScript
agegate-rustNative SDK for server-side integrationsRust
admin-portalInternal administration web portalTypeScript
shared-portal-libShared UI components for portal applicationsTypeScript
provii-managementCloudflare Worker for internal platform managementTypeScript
provii-credit-managementCloudflare Worker for verification credit tracking and billingTypeScript
provii-statusStatus monitoring Cloudflare WorkerTypeScript
provii-websitePublic marketing websiteTypeScript (Astro)
provii-docsPublic developer documentationTypeScript
provii-demosIntegration demo applications (19 ecosystems)Multi-language

In-Scope Route Prefixes and Origins

In addition to the components above, the following route prefixes and origins form part of the ISMS technical scope:

Prefix / OriginPurposeTrust Boundary
docs.provii.app/api/*Docs sandbox gateway route prefix served by the provii-demos/demo-web-provii-agegate Worker. Backs the interactive developer onboarding surface on docs.provii.app.Sandbox-only. Disjoint from playground handler. Narrowed DocsEnv binding set (no DEMO_TOKEN_SECRET, no playground KVs).
preview.docs-sandbox.provii.appStyler iframe origin used to render interactive widgets inside the developer documentation surface.Sandbox-only. CORS-pinned via dedicated ALLOWED_DOCS_ORIGINS list, distinct from the playground origin allowlist.
maelstrom.au/trust/*Canonical path for the published ISMS corpus, served from the Maelstrom AI Trust Centre.Public read-only surface.

Infrastructure Scope

Our ISMS covers security for these infrastructure elements:

Cloudflare Services:

  • Workers (edge compute environment for all API and web services)
  • KV namespaces (distributed key-value storage)
  • Durable Objects (stateful edge compute for sessions, idempotency)
  • Workers Static Assets (CDN for static website assets)
  • Secrets Store (encrypted secret management)
  • Workers Logs (structured console.log JSON shipped to Grafana Loki for metrics and observability)

Multi-prefix Worker topology: The provii-demos/demo-web-provii-agegate Worker now serves two disjoint route prefixes with separate trust boundaries. The legacy playground surface handles the public demo origins, while the docs gateway handler binds only to docs.provii.app/api/* with a narrowed environment type, dedicated KV namespaces (DOCS_SESSIONS, SANDBOX_DOCS_ISSUERS, SANDBOX_MOBILE_ISSUERS), and an independent CORS allowlist. Cross-surface state sharing is not permitted and is enforced by per-handler module-scoped caches, separate service bindings, and an early-dispatch host-and-path guard in the Worker entry point.

GitHub:

  • Source code repositories
  • CI/CD workflows (GitHub Actions)
  • Release artifact hosting
  • Issue and project management

Build & Release Infrastructure:

  • GitHub-hosted runners (ephemeral build environments)
  • Sigstore services (Fulcio, Rekor) for artifact signing
  • npm registry (JavaScript package distribution)

Organisational Scope

Team Structure: Fully remote, lean team structure focused on security-first development

Key Roles:

  • ISMS Owner (strategic accountability, policy approval, risk acceptance)
  • Developer (development, operations)
  • Security Lead (security controls, auditing)

Note: In our lean structure, individuals may hold multiple roles. All role-based security controls remain effective regardless of team size.

Geographic Scope

Primary Operations: Australia

Service Delivery: Global (Cloudflare edge network spans 300+ cities worldwide)

Data Residency:

  • No PII storage (zero knowledge architecture)
  • Infrastructure metadata resides in Cloudflare’s distributed network
  • Audit logs stored in Cloudflare KV (globally replicated)

What’s Included

Assets

Information Assets
  • Source code for all platform components
  • Cryptographic key material (signing keys, verification keys)
  • API authentication secrets (HMAC keys, API keys)
  • Configuration data (KV namespace contents)
  • Audit logs and operational metrics
  • Documentation and architectural diagrams
  • Cryptographic parameters (proving/verification keys)
Technology Assets
  • Cloudflare Workers and associated services
  • GitHub repositories and workflows
  • Developer workstations
  • Build and deployment pipelines
  • CDN infrastructure
  • Mobile application artifacts
Human Resources
  • All ISMS roles (ISMS Owner, Security Lead, Developer) held by the sole operator at present
  • Contractors (when engaged)
  • External security auditors (when engaged)

Processes

  • Secure software development lifecycle (SDLC)
  • Cryptographic key generation and management
  • Incident detection and response
  • Vulnerability management and patching
  • Access control and authentication
  • Change management and deployment
  • Backup and recovery procedures
  • Security monitoring and logging
  • Internal audit program
  • Risk assessment and treatment

Third-Party Dependencies

  • Cloudflare platform services
  • GitHub platform and GitHub Actions
  • Open-source cryptographic libraries
  • npm platform dependencies
  • Rust crate dependencies

See Risk Management for how we assess third-party risks.

What’s Excluded

Out of Scope Services

The following are explicitly NOT covered by this ISMS:

Data Explicitly Out of Scope

Physical Security

Our cloud-native, fully remote model means traditional physical security (office buildings, data centres) is managed by our service providers:

  • Cloudflare manages data centre physical security
  • GitHub manages their infrastructure physical security
  • Team members secure their own remote workspaces (per Acceptable Use Policy)

Boundary Conditions

Shared Responsibility Model

ResponsibilityMaelstrom AICloudflareEnd UsersRelying Parties
Platform code security
Infrastructure security
Cryptographic key security
Data centre physical security
Device security
Integration security
Credential storage on devices
API key security

Interface Points

Security boundaries at interface points:

  1. User → Wallet App: User controls device; we control app logic
  2. Wallet → Issuer API: HTTP/3 (QUIC) + HMAC authentication for officer flows; Ed25519 attestation for trust-based issuance
  3. Wallet → Verifier API: HTTP/3 (QUIC) + ZK proof submission (no client authentication required)
  4. Relying Party → Verifier API: HTTPS + API key + HMAC-SHA256 request signing
  5. Relying Party → Verifier Hosted Mode: HTTPS + pk_ key authentication + Origin validation
  6. Developer → GitHub: SSH keys + 2FA + branch protection
  7. CI/CD → Cloudflare: API tokens with minimal permissions
  8. Cloudflare Workers → KV/DO: Internal Cloudflare bindings

Dependencies on External Parties

Critical Dependencies

Cloudflare

Service Level: Enterprise-grade edge platform

What We Depend On:

  • High availability and uptime (best-effort; no contractual SLA at current tier)
  • DDoS protection
  • TLS/SSL termination
  • Global edge distribution
  • Data replication for KV/Durable Objects

Risk Mitigation: Cloudflare’s scale and redundancy provide inherent resilience. See Business Continuity.

GitHub

Service Level: GitHub Enterprise Cloud

What We Depend On:

  • Source code hosting
  • CI/CD infrastructure (GitHub Actions)
  • Artifact distribution (GitHub Releases)
  • Access control and authentication

Risk Mitigation: Code is backed up locally; mirrors can be established if needed. The ISMS Owner holds admin access.

Review and Updates

This scope statement is reviewed:

  • Annually as part of quarterly management review cycle
  • When significant changes occur (new services, major infrastructure changes, acquisitions)
  • After security incidents that may affect scope boundaries
  • Prior to certification audits

Changes to scope require approval from the ISMS Owner.

Document Information

  • Version. 1.2
  • Effective Date. 2025-01-13
  • Last Updated. 2026-05-21
  • Owner. ISMS Owner
  • Review Frequency. Annually
  • Next Review. 2026-11-21
  • Classification. Public
  • Approved By. ISMS Owner