Security & compliance

Built to the standards
handling site data deserves.

UberVisor holds safety-critical site records — operative identity, training credentials, BLE check-ins, incident logs — across UK construction and rail. We aren't formally accredited yet; the platform is designed, built and operated to the standards this data needs. Below is exactly how — layer by layer.

Standards

Built to recognised standards.

We are not formally accredited yet. Each standard below is one the platform has been designed against, configured to, or is actively working towards — with concrete evidence of how the design meets it. Honest now, certified later.

ISO
In progress
ISO 27001:2022
Information Security Management System being built to ISO 27001 controls. External audit in planning.
SOC
Designed to
SOC 2 Type II
Operational controls map to AICPA Trust Services Criteria — security, availability and confidentiality. No attestation today.
CE+
Designed to
Cyber Essentials Plus
Controls aligned with Cyber Essentials Plus. IASME assessment to follow the current build phase.
GDPR
Built to
UK GDPR & DPA 2018
By-design lawful-basis tracking, eu-west-2 only, Art. 15 export, Art. 17 erasure with audit survival. DPO designated.
17K
Built to
ISO/IEC 17024 §9.4
Credential audit trail meets the §9.4 record-keeping requirements so certification bodies using UberVisor can satisfy 17024 themselves.
CAS
Configured to
CAS-G
Architecture meets Commercial Assurance Service controls for OFFICIAL-tier data. Not formally assessed.
NCSC
Documented against
NCSC Cloud Principles
Architecture mapped to the 14 NCSC Cloud Security Principles. Published mapping available on request.
PEN
Engagements
Independent pen-testing
Pen tests ahead of major releases, commissioning CREST-accredited testers. Summary report available under NDA.
Platform security

How we protect your data — layer by layer.

Credential security is not one feature; it is eight overlapping controls. Each layer below is shipped today unless explicitly marked roadmap.

A / IDENTITY
The holder is the holder — device-keyed
Every wallet install generates an ES256 keypair on first run, registered against the holder's Cognito identity with a server-validated proof-of-possession. Issued credentials are cryptographically bound to that key via the cnf claim (RFC 7800). Biometric unlock gates the wallet; the private key never leaves the Secure Enclave / StrongBox. The holder's photo SHA-256 is bound into the signed credential, so an issuer cannot silently swap it later.
ES256 · Secure Enclave · RFC 7800
B / SIGNING
Issuer signing in AWS KMS
Credentials are signed inside AWS KMS — the issuer's private key never leaves the HSM. Output is a W3C Verifiable Credential as JWS-VC (ES256), with iss, sub, jti, iat, exp and the issuer-defined credentialSubject. Every KMS signing call is itself logged in KMS for non-repudiation.
AWS KMS · W3C VC · JWS-VC
C / PRESENTATION
Proof you actually hold the credential
For high-tier credentials, the holder signs a fresh server-issued nonce with their device key at present-time — a static screenshot of a QR code cannot replay. The credential surfaces as an Apple Wallet pass with PassKit signing layered on top of the UberVisor JWS. BLE proximity binding for the highest-tier credentials is on the Phase 3 roadmap.
PoP · Apple Wallet · PassKit
D / VERIFICATION
Offline-capable signature plus live-status check
Verifiers validate the JWS signature offline against a 24-hour issuer-key cache. A post-signature live-status check then asks the issuer whether the credential has been suspended or revoked since signing — closing the gap where a wallet pass added while ACTIVE later turns out to have been pulled. The public verifier URL printed on the card is status-only for anonymous scans — no holder photo, no name. The same URL Universal-Links into the wallet for authorised verifiers, who see full identity only after Cognito re-auth.
Offline check · 24h cache · Live-status
E / AUDIT
ISO/IEC 17024 §9.4 audit trail
Every state transition — issue, suspend, restore, revoke, view — writes an immutable row keyed by actor, target, issuer, action, reason, reasonSource (preset list vs operator-typed), timestamp. Seven-year retention. Holders see their own activity in the wallet's in-app inbox; issuers see every event their organisation touched. Push notifications (APNs / FCM) on every state change — holders find out in seconds, not on next sign-in.
17024 §9.4 · 7yr · Immutable
F / PROTECTION
UK GDPR / DPA 2018 by design
Credential data, audit events and holder photos stay in eu-west-2 only — no US transfers. Lawful-basis tracking per processing purpose; consent records versioned per notice text (Art. 7). Right to access (Art. 15) returns a signed JSON export. Right to erasure (Art. 17) clears non-audit data; audit rows survive under legitimate interest in credential integrity. Holder photos are S3 lifecycle-tagged for deletion when the credential reaches a terminal state.
eu-west-2 · Art. 15/17 · S3 lifecycle
G / TRANSPORT
TLS, headers and no third-party trackers
TLS 1.3 everywhere with HSTS (2-year max-age, includeSubDomains). CSP, X-Frame-Options DENY and Referrer-Policy: no-referrer on the public verifier surface. No third-party trackers on the wallet or verifier surfaces. AppSync GraphQL is gated by Cognito JWT bearer — every authenticated query checks the caller's tenant and role server-side.
TLS 1.3 · HSTS 2y · Cognito JWT
H / FORWARD
Schema and crypto agility
Every credential, template and BLE session-event envelope carries schemaVersion: 1. Future clients can introduce new fields without breaking older wallets — older clients log-and-ignore shapes they do not understand. Algorithm and key-id sit in the JWS header, so rotating from ES256 to a post-quantum algorithm later is a key-rotation plus an algorithm flag — no client rewrite.
schemaVersion · alg+kid · Agility
For procurement

Need our security
paperwork?

Email security@ubervisor.app and we will send our architecture briefing, the latest pen-test summary, the data processing addendum (DPA) and the DPIA under NDA. Usually within one working day.

SECURITY.TXT
Contact: security@ubervisor.app
Expires: 2027-01-01T00:00:00.000Z
Preferred-Languages: en, en-GB
Policy: responsible disclosure on request
Hiring: jobs@ubervisor.app