Trust · Security · Procurement

Security & Verification Whitepaper

The procurement and security-diligence packet for GeoClear. Cryptographic substrate, key-management posture, Evidence Bundle internals, verification recipes, and the SOC 2 / industry-framework mapping. Available under a mutual NDA to qualified procurement and security teams.

Audience. Procurement, Security, Architecture review, SOC 2 auditors, Google Startup Program review, enterprise InfoSec. Not for general developer integration, the public developer docs + the in-browser receipt verifier cover that. This document is the substrate review for buyers who need to satisfy a compliance file before signing.

Why this lives behind a gate. The trust story (customer-held receipts, sovereign verification, what we prove vs. don’t prove) is on the public /security page. The implementation blueprint, exact algorithms, hardware certifications, key-management cadence, mirror-channel architecture, byte-level Evidence Bundle inventory, full verification recipes, is GeoClear’s competitive IP and lives behind a mutual NDA so it’s only seen by reviewers who need it. Per our security overview, you can verify the trust posture today without ever reading this whitepaper; the whitepaper is for when you need to document that posture for an audit.

What’s inside (9 sections)

Trust model + threat modelWhat GeoClear proves, what it doesn’t prove, who the trusted and untrusted actors are, and how the boundary holds under each adversary.
Cryptographic substrateAlgorithms, hardware certifications, key generation and binding, signing primitive, and the in-flight + at-rest crypto envelope.
Key management + rotation policyKey lifecycle, rotation cadence, overlap window during rotation, emergency rotation runbook, and the receipt-verifiability guarantee across rotations.
Key Transparency ManifestAppend-only public anchor for every active and historical signing key; Merkle structure; witness chain; cosign signatures; mirror channels.
Evidence Bundle internalsByte-level inventory of every artifact in the bundle, canonicalization rules, schema versioning, and the offline-verifier’s contract.
Offline verification recipesStep-by-step guides for Node, Python, browser, and air-gapped USB-stick scenarios. Sample bundles + reference implementations.
Operational security controlsMapping from GeoClear controls to SOC 2 Trust Services Criteria + the industry frameworks our continuous-control assessment evaluates against. Evidence catalog references.
Incident response + customer-notification commitmentsSeverity definitions, response SLOs, customer-impact disclosure timeline, post-mortem publication policy, runbook references.
SLA + customer audit rightsUptime guarantees, response-signing availability commitments, customer audit-log retention, sub-processor change notification, and the customer-held-evidence retention model.

Request access

To request a copy of the whitepaper, email security@geoclear.io with the following:

Your name + corporate email (we don’t accept @gmail / @yahoo / @hotmail)
Company name and your role (procurement / security / engineering / executive)
A brief use case (~50 words) describing what you’re evaluating GeoClear for

We acknowledge requests within 72 hours. On approval (typical turn ~2-3 business days for in-scope requests), you receive a single-use signed URL valid for 30 days, watermarked with your company name and the request date in the document footer. The whitepaper is delivered under our standard mutual NDA; ad-hoc terms can be negotiated for enterprise procurement.

Email security@geoclear.io → Back to security overview

In-scope: enterprise prospects with active procurement, security reviewers, SOC 2 / ISO auditors, Google Startup Program reviewers, regulators with jurisdiction. Out of scope: competitive intelligence requests, anonymous requests, individual researchers without a specific evaluation context (the public /security overview + developer docs cover that audience).

What’s already public

Before requesting the whitepaper, the following may already answer your question:

Security overview, trust model + what we prove + what we don’t prove + responsible-disclosure policy + SOC 2 timeline + sub-processors
In-browser receipt verifier, click to verify a live signed receipt; no signup, no NDA
Offline verifier, verify a sample receipt with the network off
Compliance brief, procurement-ready summary of our SOC 2 + industry-framework posture
Vulnerability disclosure program, in-scope assets, safe-harbor terms, and how to report a finding
Sample Evidence Bundles, downloadable real bundles you can verify locally
Public verification material, the live endpoint your verifier reads to confirm a receipt’s origin

Document status

Version: v1.0 DRAFT (council review pending)
Distribution model: single-use signed URL, 30-day expiry, per-request watermark (company name + request date in footer)
Format: PDF (A4 + Letter), ~30-40 pages estimated; canonical Markdown source maintained in our private docs repository (docs/compliance/SECURITY-VERIFICATION-WHITEPAPER.md)
Update cadence: annual review + on any material change to the substrate (key rotation, framework upgrade, control-set revision)
Companion to: Compliance brief (public summary), Security overview (public trust narrative)

Last updated: 2026-05-05 · Page version: v1 ( Slice 1) · Whitepaper distribution flow upgrade: (Aurora-backed request log + admin approval + watermarked PDF pipeline)