Built for institutions that can’t afford ambiguity.
Avogy issues credentials that survive vendor lock-in, audit, and time. Here’s exactly how we secure your data and your reputation.
Every credential is cryptographically signed.
Every credential we issue is signed with Ed25519, the same elliptic-curve algorithm that secures Bitcoin transactions and SSH connections at scale. Each issuing organization holds a public key; the matching private key signs every credential that organization issues.
Before signing, the credential payload is canonicalized using JCS (JSON Canonicalization Scheme, RFC 8785). That means the signed bytes are deterministic regardless of key order or whitespace. Any change to the credential, even reordering a single field, produces a completely different hash and the signature stops verifying.
This is materially stronger than centralized JSON-only approaches like older OBv2 implementations, where trust depends on the issuing platform staying online to confirm authenticity. With Ed25519 plus a published institutional public key, the math is the trust. The credential proves itself.
Public keys are published at a stable URL on each organization’s issuer profile and embedded in every Verifiable Credential we generate. Verifiers can resolve and cache them independently of Avogy.
“If our company disappeared tomorrow, every credential we ever signed would still verify against the issuing institution’s published public key.”
Where your data lives.
Database
Turso (libSQL/SQLite). Primary region: AWS US-WEST-2. Replication to Frankfurt and London available on request for institutional clients with EU residency requirements. Encrypted at rest. Daily backups.
Application
Vercel, Frankfurt edge with US primary. TLS 1.3 everywhere. No origin pull from non-CDN paths. Static assets served from regional edges close to the verifier.
Emailit (EU-based). Used only for credential claim notifications and security alerts. We do not retain email contents beyond delivery confirmation.
We can offer EU-only or Africa-region data residency for institutions with regulatory requirements. Contact hello@avogy.com to discuss.
Who can do what.
- Multi-tenant isolation
Every database query is scoped to the requesting org's ID at the query layer. Cross-org reads are not possible, even with a leaked session.
- Two role tiers per org
Admin (full control, including templates and revocation) and Issuer (issue only, no template editing or revocation). Permissions are enforced server-side on every action.
- Super admin scoped to platform ops
Avogy platform staff have a separate super-admin role limited to monitoring, org approval, and incident response. Every super-admin action is audit-logged.
- Recipient claim with email OTP
Recipients claim credentials via a one-time code sent to their email. No password to lose. Session cookies are HMAC-signed and HttpOnly.
- SSO for institutional plans
SAML, OIDC, Google Workspace, and Microsoft Entra are available for institutions with 50+ seats. Available on request as part of onboarding.
- Sensitive actions are double-gated
Revocation, key rotation, and bulk export require admin role plus a recent re-auth. The actor, IP, and reason are written to the audit log before the action commits.
Every action is logged.
Avogy logs every meaningful action against your organization: credential issuance, recipient claim, public verification lookups, revocation, and admin changes (template edits, role changes, API key rotation).
Logs are append-only and exportable in CSV or JSON for institutional clients who need to feed them into their own SIEM or compliance tooling. Default retention is 7 years for institutional plans, which aligns with most academic and professional-body record-keeping requirements.
Verification lookups are logged separately from PII so you can see how often a credential is being checked without exposing who is checking it.
- who
- user_2pX4...@cimg.org
- what
- credential.issued
- when
- 2026-04-12T09:14:22Z
- ip
- 102.176.xx.xx
- method
- POST /api/credentials
- org
- org_cimg_ghana
Standards we follow.
Issued in production. Every credential is a signed VC compatible with the W3C VC Data Model 2.0.
Export available. Recipients can take a portable, signed Open Badge to any compatible wallet.
Data subject rights honored: access, rectification, erasure, portability. Data Processing Addendum available on request.
Aligned with the Act and NITA-aware. Local data residency available for Ghanaian institutions on request.
Public verification surfaces tested for contrast, keyboard navigation, and screen reader support.
Audit planned for Q4 2026. We are honest: this is the plan, not the present state. Ask us about our readiness assessment.
When things go wrong.
If we suspect a breach, fraudulent issuance, key compromise, or extended downtime, we follow a documented playbook: contain, investigate with forensic logs, rotate any affected keys, and notify. For confirmed incidents that materially affect credential integrity or recipient data, we commit to notifying affected institutions within 72 hours of confirmation, with a written summary of scope, impact, and remediation.
Key compromise has a specific path: revoke the affected signing key, publish a successor key, re-sign affected credentials, and notify every issuing organization downstream. Verifiers see the revocation immediately on the verification surface.
Reach the security team directly at security@avogy.com.
Found a security issue?
We take responsible disclosure seriously. If you’ve identified a vulnerability that could affect credential integrity, recipient data, or platform availability, please tell us before disclosing publicly. We’ll work with you on a coordinated timeline.
Documents we provide on request.
- Data Processing Addendum (DPA)
- Vendor security questionnaire (CAIQ Lite, custom university templates)
- Penetration test summary (when complete)
- Architecture overview
Talk to us about your security requirements.
Sending a vendor questionnaire? Need a DPA before you sign? Want to walk through our architecture with your IT team? We’ll meet you where you are.