InvoanceInvoance
Log inGet access

Security through cryptographic enforcement, not policy.

Invoance does not ask you to trust its administrators, its infrastructure, or its claims. Every record is independently verifiable using public-key cryptography. Tampering is detectable by construction — not by monitoring.

Request accessTalk to us

Data privacy and protection

We understand that sending data to a third party requires trust, legal review, and guarantees. Invoance is built to meet the data protection expectations of regulated institutions — from encryption and tenant isolation to data residency controls.

Encryption at every layer

All data is encrypted in transit using TLS 1.3. At rest, every record is encrypted before it reaches storage. Your data is never stored in plaintext — not in the database, not in object storage, not in backups.

Tenant isolation

Each organization operates as a fully isolated tenant with its own Ed25519 signing keypair, database-level row isolation, and scoped API credentials. There is no shared keyspace. One tenant cannot access, query, or reference another tenant's data under any circumstance.

No data sharing

Your data is never shared with other tenants, third-party analytics providers, advertisers, or training pipelines. Invoance processes your data solely to produce cryptographic proofs. Nothing more.

Flexible retention

Each subscription tier includes a default retention duration. Need longer retention to meet regulatory or internal requirements? You can purchase extended retention at any time. When the retention period expires, records are purged. You can also request deletion of your tenant and all associated data.

What happens when you send data to Invoance

Every piece of data sent to Invoance follows the same pipeline — encrypted, hashed, signed, and stored immutably. Here is exactly what happens, step by step.

1
Encrypted in transit

Your data is sent over TLS 1.3. It is encrypted from the moment it leaves your system until it reaches the Invoance processing layer. No intermediary can read it.

2
Authenticated and scoped

Your API key is verified and the request is scoped to your tenant. No other tenant's data is accessible during processing. Rate limits and permissions are enforced before any data is written.

3
Hashed and signed

The payload is canonicalized, hashed with SHA-256, and signed with your tenant's unique Ed25519 private key. This produces a cryptographic proof that the data existed in this exact form at this exact time.

4
Encrypted at rest and stored

The signed record is encrypted and written to append-only storage. Once written, no API call, no admin action, and no code path can modify or delete the record. The constraint is architectural.

5
Independently verifiable

A public proof link is generated. Anyone with the link can verify the record's integrity using your organization's public key — without logging in, without contacting Invoance, without trusting anyone.

Cryptographic primitives

Every record in Invoance is secured using well-established, independently auditable cryptographic standards. No proprietary algorithms. No black boxes.

SHA-256
Content hashing

Applied to every record payload before signing. Produces a deterministic 256-bit fingerprint. Any alteration to the content — a single character, a timestamp, a whitespace change — produces a completely different hash. Collisions are computationally infeasible.

Ed25519
Digital signatures

Each tenant is issued a unique Ed25519 keypair. The private key signs the SHA-256 hash of every record at ingestion. The corresponding public key is discoverable at a well-known endpoint and can be used by any third party to verify signatures without contacting Invoance.

Append-only storage
Immutability enforcement

Ledger tables have UPDATE and DELETE structurally revoked at the database level via triggers and permission controls. No administrative action, no API call, and no code path can modify a written record. The constraint is architectural, not policy-based.

JSON canonicalization
Deterministic serialization

Every payload is recursively key-sorted before hashing — objects are ordered lexicographically, arrays preserved in sequence. This deterministic serialization guarantees that identical data always produces an identical SHA-256 hash regardless of the original key order, eliminating false mismatches during verification.

Independent verification — no trust required

Verification of any Invoance record requires only the public key and the record itself. No API key. No account. No contact with Invoance. Any auditor, regulator, or counterparty can verify independently.

Verification steps — performed locally, no network call required
1
Fetch the tenant's public key
GET https://api.invoance.com/keys/acme.com

{
  "domain":     "acme.com",
  "public_key": "MUOiPd4ipnp7amyezsEt9eu3_IuTieQigyfxEIu-3xU",
  "algorithm":  "ed25519",
  "key_id":     "invoance:pk_cf912d40"
}
2
Recompute the canonical hash
import hashlib, json

signed_payload = record["signed_payload"]
canonical = json.dumps(signed_payload, sort_keys=True, separators=(',',':'))
hash = hashlib.sha256(canonical.encode()).digest()
3
Verify the Ed25519 signature
from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PublicKey
import base64

public_key = Ed25519PublicKey.from_public_bytes(
    base64.urlsafe_b64decode(fetched_public_key + "==")
)

# Raises InvalidSignature if tampered
public_key.verify(base64.b64decode(record["signature"]), hash)

print("Signature valid — record is untampered")

This verification works offline. No network call to Invoance is required after fetching the public key. The key itself is stable per tenant and publicly discoverable.

Infrastructure controls

Key isolation

Each tenant has a unique Ed25519 signing keypair. Keys are generated at tenant creation and stored encrypted. Cross-tenant key access is structurally impossible — not just prohibited.

Immutability enforcement

Ledger tables have UPDATE and DELETE revoked via database-level triggers. Row-level security ensures tenants can only access their own records. No administrative bypass exists.

Async write pipeline

Events are published to a durable message queue before database writes. Messages are persisted with explicit acknowledgment — no event is confirmed until written. No fire-and-forget paths exist.

Edge protection

All traffic is routed through a global edge network. DDoS mitigation, TLS termination, and bot protection are applied before requests reach the application layer.

Domain verification

Tenant identity is bound to DNS. Domain verification via DNS TXT records prevents key squatting — a tenant cannot claim a public key for a domain they do not control.

Rate limiting

Public verification endpoints are rate-limited independently from authenticated API paths. Key discovery endpoints are capped to prevent tenant metadata harvesting.

What Invoance cannot do — by design

The following are not policy restrictions. They are architectural constraints enforced at the infrastructure level. No administrative action, support request, or API call can override them.

Modify a written ledger entry

UPDATE and DELETE are revoked at the database role level. The application has no write path that modifies existing rows.

Delete an anchored record

Append-only constraints are enforced by database triggers independent of application logic. Deletion requires dropping the database itself.

Access another tenant's data

Row-level security and scoped API keys enforce tenant boundaries. There is no admin panel, no support tool, and no API endpoint that crosses tenant boundaries.

Issue a signature for another tenant

Signing keys are scoped per tenant. The signing function accepts only the authenticated tenant's key. Cross-tenant signing is not a code path that exists.

Backdate a timestamp

Timestamps are recorded at ingestion by the server and included in the signed payload. The signature covers the timestamp — backdating invalidates the signature.

Forge a public verification

Verification is performed against the tenant's public key. Forging a valid signature without the private key is computationally infeasible under Ed25519.

Share your data with third parties

There is no data pipeline, export function, or integration that sends tenant data to any external service. Data is processed solely to produce cryptographic proofs.

Cryptographic proof vs. access control

Most security models rely on access control — limiting who can read or write records. Invoance adds cryptographic proof — making tampering detectable regardless of access. These are complementary, not competing.

Access control only
Cryptographic proof
Insider modification detectable
No — authorized users can alter records silently
Yes — any change invalidates the signature
Verification requires trust in system
Yes — auditor must trust the vendor
No — verifiable with public key only
Tamper evidence survives breach
No — attacker with DB access can rewrite history
Yes — signature cannot be forged without private key
Survives admin compromise
No — admin can grant access to modify records
Yes — signing key is scoped, DB triggers are structural
Third-party verification
Requires vendor cooperation
Requires only public key — no vendor involvement

Explicit scope boundaries

What Invoance guarantees
Any attempt to alter a recorded event is cryptographically detectable.
The origin of a record can be verified against the issuing tenant's public key.
Records are immutable once written — enforced at the infrastructure level.
Proofs are independently validatable without relying on Invoance.
Timestamps are part of the signed payload and cannot be adjusted post-ingestion.
Your data is encrypted at rest and in transit, isolated per tenant, and never shared.
Outside the scope of Invoance
—Verifying the truth, accuracy, or intent of anchored content.
—Legal admissibility in any specific jurisdiction — consult qualified counsel.
—Replacing application-level access controls or authentication.
—Acting as a notary, legal authority, or regulated financial entity.
—Guaranteeing availability of original document bytes after retention expiry.

Invoance security is based entirely on open, auditable cryptographic standards — SHA-256, Ed25519, and append-only storage. No proprietary algorithms. No trust required beyond the mathematics.

Request accessVerification docsTalk to Invoance

Invoance Security Architecture

Security through cryptographic enforcement, not policy. Invoance does not ask you to trust its administrators, its infrastructure, or its claims. Every record is independently verifiable using public-key cryptography. Tampering is detectable by construction — not by monitoring. SHA-256 hashing, Ed25519 signatures, append-only storage.

Invoance

Neutral digital proof infrastructure for business. Tamper-evident, independently verifiable records.

Subscribe to our newsletter

Products
Platform
How It Works
Developers
Verify
Resources
Help & Legal
Products
  • Event Ledger
  • Document Anchoring
  • AI Attestation
  • Traces
Platform
  • Why Invoance
  • For Compliance Teams
  • Pricing
  • Security
How It Works
  • Overview
  • Event Ledger
  • Document Anchoring
  • AI Attestation
Developers
  • Overview
  • Endpoints
  • Authentication
  • Concepts
Verify
  • Verify Document
  • Verify AI Attestation
  • Verify Event
  • Verify Trace
Resources
  • All Resources
  • SOC 2 Guide
  • HIPAA Guide
  • ISO 27001 Guide
Help & Legal
  • Support
  • Verification Help
  • FAQ
  • Legal Notice

Invoance provides technical verification and proof infrastructure for digital records. Invoance does not issue legal, financial, or regulatory advice.

Records anchored through Invoance are cryptographically signed and tamper-evident by design. Invoance does not verify the accuracy, legality, or authenticity of document contents — only that a record existed in a specific form at a specific time. Verification links are publicly resolvable and do not require authentication. Invoance does not act as a custodian of funds, a legal authority, or a regulated financial entity. Use of Invoance does not constitute legal compliance. Consult qualified counsel for your specific obligations.

© 2025 – 2026 Invoance. All rights reserved.•