Security & Compliance Overview

Maelstrom AI's transparent security program and ISO 27001:2022 ISMS for the Provii zero knowledge age verification platform

Public

Our Security Philosophy

Maelstrom AI is built on a foundation of security by design and radical transparency. We believe that real security comes from sound cryptographic principles, defence in depth, and open scrutiny, not from hiding implementation details.

Our zero knowledge age verification service is designed to verify age without requiring Maelstrom AI-operated services to collect or store any personally identifiable information (PII). This isn’t just a privacy feature; it’s our entire security model.

What We Protect

Since our operational services minimise PII processing (DOB is processed ephemerally during issuance only and never persisted), our security program focuses on protecting:

  1. Cryptographic integrity - Ensuring proof verification is mathematically sound
  2. Service availability - Maintaining uptime for age verification services
  3. Credential security - Protecting signing keys and credential issuance processes
  4. Operational security - Securing development, deployment, and operational infrastructure
  5. Supply chain security - Ensuring artifacts you download haven’t been tampered with

Our ISMS Scope

Organisation: Maelstrom AI Pty Ltd ATF Maelstrom AI Holding Trust

Service: Design, development, deployment, operation, maintenance, and support of the zero knowledge proof age verification platform

Infrastructure:

  • Cloudflare Workers (edge computing)
  • Cloudflare KV & Durable Objects (state management)
  • GitHub (source control, CI/CD)
  • Cloudflare Workers Assets (static site serving)

Data Handling:

  • PII. During credential issuance, a date of birth is transmitted to the issuer API where a Pedersen commitment is computed server-side; the raw DOB is immediately discarded and never persisted to storage. During age verification, no personal information is collected or transmitted.
  • IP Addresses. Retained for 90 days in audit logs for anti-abuse and diagnostics. Standard audit log entries are retained for 90 days. Critical security events (such as detected attacks, replay attempts, and IP blocks) are retained for up to 365 days to support security investigation.
  • Cryptographic Proofs. Ephemeral verification, no long-term storage

Security Program Structure

Our Information Security Management System (ISMS) comprises:

Risk Management

Risk assessment methodology and documented risk register

Security Controls

ISO 27001 Annex A controls implementation (93 controls)

Operational Security

Incident response, business continuity, change management

Compliance & Audit

Internal audit program and evidence tracking

Key Security Features

Zero knowledge Architecture

Our Groth16 zero knowledge proofs are designed so that age verification happens without revealing any personal information. See the trust model for details.

Supply Chain Security

Our supply chain targets SLSA Level 3 provenance with:

  • Hermetic builds on ephemeral infrastructure
  • Cryptographic signing via Sigstore
  • Non-falsifiable provenance attestations
  • Transparency logging in Rekor

Edge Security

Cloudflare Workers provide:

  • Global DDoS protection
  • Edge-based rate limiting
  • Automatic TLS termination
  • Isolated execution environments

Cryptographic Assurance

Our cryptography stack includes:

  • Groth16 proofs on BLS12-381 curve
  • RedJubjub signatures for credential issuance
  • BLAKE2/SHA256 for hashing and commitments
  • Battle-tested libraries: bellman, bls12_381, jubjub

See provii-crypto for implementation details.

Regulatory Compliance

Australian Privacy Act 1988: Our zero knowledge architecture minimises personal information processing. DOB is processed ephemerally during issuance only, significantly simplifying compliance obligations.

GDPR Considerations: While not directly subject to GDPR (no EU establishment or EU data processing), our architecture would provide strong privacy protection for EU users through data minimisation.

Transparency Principles

This entire ISMS is public because:

  1. We have nothing to hide - Minimal PII processing means minimal sensitive data to protect through obscurity
  2. Open scrutiny improves security - Public review helps identify weaknesses
  3. Trust through verification - You can verify our claims by reviewing our code and processes
  4. Industry leadership - We want to set an example for privacy-preserving services

Getting Started

Understand our scope

Review the ISMS Scope Statement to understand what’s covered

Review security controls

See the Statement of Applicability for how we implement ISO 27001 controls

Check operational procedures

Review procedures for incident response, business continuity, and change management

Verify our security

Use our artifact verification guide to cryptographically verify the software you download

Security Contact

Security Issues: For responsible disclosure of security vulnerabilities, email security@maelstrom.au (private, confidential)

General Questions: Open a discussion on GitHub Discussions

Document Information

  • Version. 1.1
  • Last Updated. 2026-02-16
  • Owner. ISMS Owner
  • Review Frequency. Annually
  • Classification. Public