Trust Center · enterprise-ready posture

Trust is earned with strict guarantees and minimized data.

This page is written for security reviewers, compliance teams, and platform engineering. We state guarantees precisely and avoid unverifiable claims. PBI is a presence proof primitive for irreversible actions: action-bound WebAuthn (UP+UV) with signed receipts.

Enterprise onboarding Security overview API docs Status

Strict claims

We define exactly what is proven (UP+UV for an action hash, single-use, within expiry).

Data minimization

No biometric data stored. No password database required for presence proof.

Evidence receipts

Receipts provide durable, verifiable references for audit and disputes.

Enterprise packet

Threat model, data flow, trust policy, evidence formats, and deployment notes.

Reviewer fast facts

What PBI guarantees (in one line)

testable

•A user completed a WebAuthn UP+UV ceremony for a single-use challenge bound to an actionHash within expiry, and the verifier minted a signed receipt.

•PBI does not do KYC, identity resolution, or biometric storage.

Core invariant:
execute(action) only if verify(actionHash).decision == PBI_VERIFIED

Everything else is deny.

Guarantees

Guarantees vs non-goals

Clear boundaries reduce procurement friction and prevent mismatched expectations.

PBI guarantees

UP+UV presence ceremony occurred for a single-use, time-bounded challenge bound to this action hash, and a receipt was emitted.

PBI does not guarantee

Real-world identity (KYC), role correctness, coercion resistance, or that an authorized human did not make a mistake.

Your responsibility

Enforce: irreversible operations must only execute after PBI_VERIFIED; all other decisions must halt.

Data handling

What we store vs do not store

PBI is designed to minimize sensitive data while maximizing audit usefulness.

Stored (typical)

Receipts (hash references), verification decisions, timestamps, and minimal challenge metadata necessary for single-use + expiry enforcement.

Not stored

Biometric templates, FaceID/TouchID data, passwords, or a user identity database required for presence proof.

Optional exports

Portable proof bundles for offline verification and chain-of-custody under a trust policy (rotation/revocation/expiry).

WebAuthn biometrics never leave the device

Authenticators perform user verification locally. The server verifies an assertion and issues a receipt; it does not receive biometric material.

Security posture

Controls that matter for this primitive

These are the controls enterprise teams map to their internal requirements.

Replay resistance

Single-use challenges + expiry windows + action binding prevent reuse and repurposing.

Evidence-first audit

Receipts are evidence references; logs are not treated as primary proof artifacts.

Principle of minimization

Minimize stored sensitive data; store only what supports verification and audit mapping.

Environment separation

Recommended dev/stage/prod API keys and allowlisting patterns for hardened rollouts.

Rotation & revocation

Trust policy supports key rotation/revocation/expiry for offline verification governance.

Enterprise security packet

Available through the Enterprise onboarding path: threat model, data flow diagram, trust policy guidance, evidence formats, and deployment notes. Start here: /enterprise.

Disclosure

Responsible disclosure

We treat security reports seriously. Use the channel below to report vulnerabilities.

Security reports

Email security@kojib.com. Include reproduction steps, impact assessment, and affected endpoints or artifacts.

Privacy requests

Email privacy@kojib.com for privacy and data handling requests.

Support

Email support@kojib.com for integration and customer support requests.

Operational links

Security overview Status Changelog API docs Demo