Security

The system is a blind intermediary: the Journalist^* knows who they are, the editor knows what they received, and Veracium operates the layer in between without ever holding both halves in the clear.

• On-device sealing — Hashing happens before transmission. We cannot tamper with what we never see in raw form.
• Hardware-backed signing — Keys live in the device's secure enclave and cannot be extracted, even by Veracium.
• Shamir Secret Sharing on identity — The link between Journalist pseudonym and real identity is split across multiple custodians. No single party — including Veracium — can reconstruct it alone.
• zk-SNARKs for tier proofs — Editors can verify that a Journalist holds the required tier without seeing who they are.
• EU-hosted, EU-jurisdiction — All production data lives on PostgreSQL in Frankfurt. No US data transfer for operational records.

We are explicit about limits. Veracium does not protect against:

• Coerced capture by a hostile party present at the scene.
• An Journalist deliberately staging a scene that is then truthfully sealed.
• A editor republishing the capture without the accompanying certificate.

For each of these, the certificate and chain-of-custody log are designed to make the problem detectable after the fact even if not preventable in the moment.

jorg@veracium.io · PGP key fingerprint on /about. We respond within 72 hours and credit responsible disclosure on the project page.