Security & Compliance Overview
GoValid implements multiple layers of security to protect your data and ensure the authenticity of QR codes.
Security Architecture
GoValid's security is built on multiple layers:
| Layer | Technology | Purpose |
|---|---|---|
| Authentication | JWT, API Keys, OAuth 2.0 | Secure access control |
| 2FA | TOTP, Backup Tokens, Trusted Devices | Account protection |
| Encryption | AES-256-GCM, ChaCha20-Poly1305 | Data confidentiality |
| Digital Signatures | HMAC-SHA256, Ed25519 | Integrity and non-repudiation |
| Risk Analysis | Geolocation, VPN Detection | Fraud prevention |
| Infrastructure | HTTPS, CSP, File Sanitization | Platform security |
Key Security Features
QR Code Security Levels
- Smart QR: 96-bit encryption with HKDF-SHA256, AES-256-GCM
- Secure QR: 256-bit encryption with SHA-256, ChaCha20-Poly1305
- Enterprise QR: Ed25519 digital signatures with non-repudiation guarantee
Account Security
- Two-factor authentication (TOTP)
- Trusted device management
- Risk-based login analysis
- Session management and monitoring
- Password policies and recovery
Data Protection
- AES-256-GCM encryption for QR data (all levels)
- Secure file upload sanitization
- Content Security Policy (CSP)
- GDPR compliance (data export, deletion)
Infrastructure Security
- HTTPS everywhere with managed certificates
- CDN and DDoS protection
- Secure credential management with a managed secrets service
- Regular security audits
Compliance
GoValid is designed to support compliance with:
| Standard | Support |
|---|---|
| GDPR | Data export, deletion, consent management |
| Data Privacy | Encrypted storage, access controls |
| Audit Trails | Complete activity logging |
| Non-Repudiation | Ed25519 digital signatures |
Security Best Practices for Users
- Enable 2FA: Add an extra layer of account protection
- Use strong passwords: Unique, complex passwords
- Manage API keys: Rotate regularly, set appropriate permissions
- Monitor sessions: Review active sessions regularly
- Use Enterprise QR: For documents requiring legal-grade verification
- Set QR expiration: Limit the lifetime of sensitive QR codes
- Use password protection: Add passwords to sensitive QR codes
Related
- 2FA & Trusted Devices - Set up two-factor authentication
- Ed25519 Signatures - Digital signature details
- Encryption - Data encryption details
- Risk-Based Auth - Login risk analysis
- Data Privacy - Privacy and GDPR compliance