Security isn't a feature. It's the product.
EngineeringID is built to make a single promise believable: this seal is real, this document is unaltered, and this is the licensed professional behind it. Every layer below exists to keep that promise.
AES-256-GCM
at rest
TLS 1.3
in transit
X.509 PKI
document signing
RFC 3161
timestamps
Hash chain
audit log
SOC 2 Type II
ready
Our commitments
Nine things we promise — and how we keep each one
Each commitment is a line we won't cross, paired with the specific architecture that holds it. Click through any one to see the implementation.
Confidentiality
Your data is unreadable to anyone but you
Every document is encrypted with AES-256-GCM at rest and TLS 1.3 in transit. Hybrid RSA + symmetric encryption with post-quantum Kyber KEM readiness.
Authentication
Only you can apply your seal
TOTP-based multi-factor authentication is required for every sealing operation. A compromised password alone cannot produce a valid seal.
Session integrity
Every device is known and revocable
Device fingerprinting, geolocation tracking, and a real-time security event log let you trust any session — and revoke compromised ones instantly.
Document integrity
Every seal is mathematically tamper-evident
SHA-256 content hashes, X.509 PKI digital signatures, RFC 3161 trusted timestamps, and PDF/A archival format. Any byte change invalidates the seal.
Provenance
Every action is permanently provable
A cryptographic hash chain links every audit event to the one before it. Tampering with a single record invalidates the entire downstream chain.
Identity federation
Your IdP remains the source of truth
SAML 2.0 and OIDC single sign-on, JIT user provisioning, JWKS rotation, and email-domain auto-provisioning. Membership decisions stay with your IdP.
API surface
Programmatic access is locked down by default
API keys are SHA-256 hashed at rest (raw value never persisted). Per-key permissions, IP CIDR allow-lists, rate limits, and atomic rotation.
Key custody
Bring your own keys — coming soon
AWS KMS-backed signing keeps your private signing material in your AWS account. We never see, store, or have access to plaintext key material.
Operational trust
We meet you at industry standards
SOC 2 Type II ready, 99.9% uptime SLA on Enterprise, regional data residency, and routine third-party penetration testing.
Cryptographic standards
No proprietary crypto, ever
Every primitive is a publicly reviewed, NIST or IETF-standardized algorithm.
AES-256-GCM
NIST SP 800-38D
TLS 1.3
RFC 8446
RSA-OAEP-4096
RFC 8017
SHA-256
NIST FIPS 180-4
RSA-PSS / X.509
RFC 5280
RFC 3161 (DigiCert)
IETF
HMAC-SHA256
RFC 2104
SHA-256 hash chain
Merkle-style
Defense in depth
No single point of compromise
Compromising one layer doesn't compromise the seal. Each layer enforces a distinct invariant.
Identity
Federated SSO, Session-level MFA, device fingerprinting
Authorization
37 granular permissions, custom role inheritance, scope-based gates
Transport
TLS 1.3 with HSTS, certificate pinning on mobile
Data
AES-256-GCM at rest, encrypted credentials, encrypted signing keys
Document
SHA-256 hash, X.509 signature, RFC 3161 timestamp, PDF/A archival
Audit
Hash-chained log, NIF-verified integrity, immutable record retention
Responsible disclosure
Found a security issue? We want to hear from you. Send the details to [email protected].
- Acknowledgement within 24 hours
- Critical fixes shipped within 72 hours
- Public credit on our security page (with permission)
- Safe harbor for good-faith research
Security you can verify, not just trust
Every claim on this page is backed by a public algorithm, an open standard, or a third-party attestation.