Trust Center — TruthAnchor
TruthAnchor security posture, smart contract verification, encryption, sub-processors, incident response, and vulnerability disclosure. Built for AI agent infrastructure that has to be auditable from day one.
Smart Contracts (publicly verified)
ERC-8263 reference on Ethereum Mainnet: 0xe95d6a15966984c209a62a2c188828555eb5ec3d (Etherscan verified, compiler v0.8.19, MIT, no optimizer). Polygon Mainnet anchor: 0x87dd3A56AFD0D2c488aD7E13fB036b59144b25dC (Polygonscan verified). Base Mainnet anchor: 0x87dd3A56AFD0D2c488aD7E13fB036b59144b25dC (Basescan verified). BNB Smart Chain anchor: 0x87dd3A56AFD0D2c488aD7E13fB036b59144b25dC (BscScan verified). Sepolia V1 reference: 0x89EE9b68c3b2f50cbE9D0fC4Dc134939a0475c1C.
Cryptography & Key Management
Passwords: bcrypt with per-user salt, cost factor 10+. API keys: SHA-256 hashed at rest; raw key shown once at creation, never logged, never retrievable after that. Session secrets: AES-256-GCM with explicit 16-byte auth tag (hardened against tag-truncation attacks). Password reset tokens: SHA-256 hashed, 1-hour expiry, single-use, rate-limited to 3/15min per IP+email. On-chain signing: relayer wallet 0x4b25E0064626D5718BE8a4E47D809a21548F5256, private key in environment secrets only.
Transport & Web Security
TLS 1.2+ via Replit Deployments edge. Strict CSP, X-Frame-Options DENY, X-Content-Type-Options nosniff, Referrer-Policy strict-origin-when-cross-origin. Session cookies: httpOnly + secure + sameSite. SESSION_SECRET production-fail-closed (process exits on missing or <16 char value). Cloudflare Turnstile gate on registration; production-fail-closed when TURNSTILE_SECRET_KEY is absent. Rate limiting on auth, password reset, and anchoring endpoints; per-tier monthly quota enforced server-side.
Data Handling
Primary store PostgreSQL (Replit-managed), encrypted at rest by provider. Drizzle ORM with parameterized queries — no raw SQL string concatenation in product code. Only SHA-256 hashes anchored on-chain; source content never touches the chain. We do NOT collect card numbers, government IDs, biometric data, browsing history, or ad/tracking identifiers.
Sub-processors
Replit (application hosting + PostgreSQL, US). Alchemy (EVM RPC, global edge). Pinata (IPFS pinning, US). Resend (transactional email, US/EU). Cloudflare Turnstile (bot challenge, global edge). Changes reflected within 30 days.
Trust Scores: Methodology & Opt-out
TruthAnchor indexes 1,200+ public AI agents from open sources. Trust Scores are computed automatically from public on-chain evidence and public registry signals — NOT a regulated financial credit rating, NOT investment advice, NOT a binding endorsement. Unclaimed agents carry a Pending status. Maintainers can claim their profile, submit on-chain corrections, or request full removal by emailing hello@truthanchor.biz from a verifiable owner address. Opt-out honored within 5 business days; this is a permanent right.
Incident Response
30-second health check on /api/health, Telegram alerts to operator on failure. Public status realtime at /status, per-incident notes on /changelog. Customer-impacting incidents trigger email within 24h, postmortem within 7 days. Any confirmed unauthorized access to user data triggers notification within 72 hours.
Vulnerability Disclosure
Report privately to security@truthanchor.biz. No legal action against good-faith researchers who do not exfiltrate user data or degrade service. Typical remediation window 30–90 days depending on severity. No paid bounty currently; high-quality reports acknowledged on /changelog with researcher permission.