What We Protect Against
Certidox is designed to mitigate real-world document risks: spoofed websites, altered PDFs, counterfeit printed copies, and “latest version” confusion in regulated workflows. The goal is not just to identify a document, but to verify that it is authentic, untampered, and still valid.
- Document tampering: modified content, edited PDFs, replaced pages.
- Spoofing: cloned newsroom pages, lookalike verification sites, fake portals.
- Duplication: copied QR codes used on altered documents.
- Version risk: old documents reused after correction or revocation.
Local Processing by Design
Certidox technology is designed so that document verification can be executed locally on:
- your employees’ computers (workstations),
- your servers (automated verification),
- mobile devices used for scanning printed documents.
This means the most sensitive part—processing and validating document data—does not require sending your document content to Certidox servers.
Important: Certidox is designed so document content is not processed on Certidox servers.
You keep control over where verification runs and how your workflows are integrated.
No Decryption Keys Stored by Certidox
Certidox does not store decryption keys on its servers. This is a core confidentiality property: even if someone accessed Certidox infrastructure, they would not find keys that could decrypt certified content.
In practice, this supports deployments where keys remain under the control of the issuing organization or inside the customer environment.
Open Source and Auditable
Core components of Certidox are open source. This enables independent audit and code review, reduces black-box risk, and helps security teams validate how verification works.
- Auditability: security teams can review the verification logic.
- Transparency: clear understanding of what runs locally vs remotely.
- Portability: easier integration into your environment without vendor lock-in.
Confidentiality and Compliance Alignment
Certidox is designed to align with FERPA (education records), GDPR (EU privacy), and PIPEDA (Canada) depending on deployment context, because it minimizes exposure of personal data and supports local verification workflows.
Note: formal compliance depends on your specific implementation, data classification, and internal policies.
Revocation and Real-Time Status
Certified documents can be suspended or revoked. Verification returns the current status. Optional alerts can notify people who previously verified a document if it is later revoked—helping prevent outdated or fraudulent use.
FAQ
Does Certidox process document data on its own servers?
No. Verification can run locally in the client’s environment; document content is not processed on Certidox servers.
Does Certidox store decryption keys?
No. Certidox does not store decryption keys on its servers.
Is Certidox open source?
Yes. Core components are open source and can be audited.
Does it work with printed and digital documents?
Yes. Certidox supports verification for both printed documents and digital files.
Discuss Your Security Requirements
If you want to validate how Certidox fits your threat model (spoofing, tampering, duplication, revocation) and your confidentiality constraints, we can review your workflow and deployment options.