Security & Trust

Optropic is Physical Trust Infrastructure. Security isn't a feature we added — it's the foundation everything is built on.

Architecture

Our security architecture operates across multiple layers:

Physical Layer

• PUF-based copy detection — Physically Unclonable Functions create unforgeable fingerprints
• Spatial commitment — Physical feature relationships encoded cryptographically
• Quantum-resistant foundations — Future-proof against quantum computing attacks

Cryptographic Layer

• Ed25519 signatures — Fast, secure digital signatures (128-bit security level)
• SLIP-0010 HD keys — Hierarchical deterministic key derivation
• SHA-3 hashing — NIST-approved cryptographic hashing

Transport Layer

• TLS 1.3 — All API communication encrypted in transit
• API key authentication — SHA-256 hashed, never stored in plaintext
• Rate limiting — Protection against abuse and DDoS

Monitoring Layer

• OIDS fraud detection — Real-time anomaly detection
• Geographic impossibility checks — Flag impossible scan patterns
• Scan pattern analysis — Identify counterfeiting attempts

Privacy by Design

We architected Optropic with privacy as a fundamental requirement:

Principle	Implementation
Data Minimization	Camera images never leave the scanning device
One-Way Processing	Physical features processed as irreversible hashes
Local-First	Verification possible fully offline
Pseudonymization	Owner identities shown as "Verified Private Collector"

Compliance Status

Standard	Status
GDPR	✅ Compliant
GS1 Digital Link	✅ Compliant
EU Digital Product Passport	🟢 Architecture ready
SOC 2 Type I	📋 Targeted Q2 2026
ISO 27001	📋 Targeted Q4 2026

Security Controls

Access Control

• Role-based access control (RBAC)
• API key scoping by GTIN/batch
• Audit logging of all operations

Encryption

Data State	Method
In Transit	TLS 1.3
At Rest	AES-256-GCM
Keys	Ed25519 (HSM-backed for enterprise)

Monitoring

• Real-time threat detection
• Automated alerting for anomalies
• 24/7 security operations (SOC)

Vulnerability Disclosure

We welcome responsible security research. Report vulnerabilities to:

security@optropic.com

We commit to:

• Acknowledge receipt within 24 hours
• Provide updates every 72 hours
• Credit researchers (if desired) after remediation

Data Processing

• View our DPA template →
• View our Privacy Policy →
• View our full Security Policy →
• View our Compliance Roadmap →

Questions?

For security inquiries, contact security@optropic.com

For compliance documentation requests, contact compliance@optropic.com