Tesseratessera
EU Age Gate
Security

Security and compliance you can verify

We build trust infrastructure. That means our own security practices must be at least as rigorous as the credentials we help you issue and verify.

Encryption

In Transit

  • TLS 1.3 for all API connections
  • HSTS with preload enabled
  • Certificate transparency logging
  • No support for deprecated cipher suites

At Rest

  • AES-256 encryption for all cryptographic keys
  • ActiveRecord Encryption derived from RAILS_MASTER_KEY
  • Database-level encryption for sensitive fields
  • Encrypted backups with separate key management

Key Management

Cryptographic keys are the foundation of verifiable credentials. Every credential Tessera issues is signed with a key that is generated, stored, and used under strict controls.

Key Generation

  • Keys generated using OpenSSL with CSPRNG
  • Support for EC P-256, P-384, and RSA-2048+ key types
  • Per-tenant key isolation — no shared signing keys
  • Automatic key rotation policies

Key Storage

  • Private keys encrypted with AES-256 before database storage
  • Key material never exposed in API responses
  • Key access logged in the audit trail
  • Configurable key backends for enterprise requirements

Infrastructure

Network

All services run in isolated Docker containers on dedicated infrastructure. No shared hosting. Internal services communicate over private Docker networks.

Data Residency

Infrastructure hosted in Europe. All credential data, cryptographic keys, and audit logs remain within EU jurisdiction. No data transfers outside the EEA.

Access Control

Role-based access control for all administrative operations. API authentication via JWT tokens validated against Keycloak's JWKS endpoint. Service account isolation per tenant.

Compliance

FrameworkStatusDetails
GDPRCompliantData minimization by design. Privacy policy, DPA available.
eIDAS 2.0AlignedOpenID4VCI/VP, SD-JWT, mDoc per ARF specifications.
EU e-Commerce DirectiveCompliantLegal entity disclosure, contact information, privacy policy published.
SOC 2 Type IIPlannedAudit scheduled for 2027. Controls already implemented.

Responsible Disclosure

If you discover a security vulnerability in Tessera's infrastructure, please report it responsibly to hello@tsera.io with the subject line “Security Vulnerability Report.” We will acknowledge receipt within 48 hours and provide an initial assessment within 5 business days.

Questions about our security practices?

We are happy to discuss our security architecture, share our DPA, or walk through our compliance posture with your security team.

Contact Security Team