Security by Architecture
MyDataKey is non-custodial by design. We protect what matters by not storing what doesn’t need to be stored. This page explains our security posture and the safeguards we apply to the limited metadata we process.
The Best Security? Not Having the Data.
Most security practices focus on protecting data after collecting it. MyDataKey reduces exposure by avoiding unnecessary custody in the first place. You can’t leak what you don’t store.
Security Governance
Our security program is risk-based and aligned with industry frameworks. We focus on protecting the integrity, availability, and confidentiality of the limited metadata we process.
Risk-Based Program
Controls are selected and reviewed based on realistic threats and impact—not checkbox compliance. We prioritize what actually matters.
ISO 27001 Alignment
Security governance is aligned with ISO/IEC 27001 principles (Information Security Management System) for structured risk management.
Change Management
Material changes are reviewed and tracked through controlled engineering and operational processes with appropriate approvals.
Key Safeguards
Integrity & Non-Repudiation
Cryptographic signing and verification ensure ownership records and metadata are tamper-resistant and auditable. Every certificate includes a unique ID and timestamp.
Access Control
Role-based access control and least privilege reduce the risk of unauthorized administrative activity. Access is granted only as needed.
Multi-Factor Authentication
MFA is used for privileged access where supported. Our identity verification uses selfie + government ID for establishing ownership.
Logging & Monitoring
We maintain monitoring and audit logging to support detection, response, and accountability. All certificate generation and verification is logged.
Encryption in Transit
All connections to the Service are protected using TLS encryption. We enforce HTTPS across all endpoints.
Supplier Risk Management
Third-party providers are evaluated and monitored as part of supplier security and reliability management.
Incident Response
We maintain incident response procedures to assess, contain, and remediate security events. Because MyDataKey does not store raw personal data, incidents are evaluated based on integrity, availability, and trust impact.
Detection & Reporting
Monitoring systems detect anomalies. Security researchers can report vulnerabilities via our Responsible Disclosure program.
Triage & Investigation
We use logs and monitoring to assess scope, severity, and impact. Our team evaluates the actual risk—not theoretical worst cases.
Containment & Remediation
We isolate affected systems, patch vulnerabilities, and restore normal operations with verification.
Review & Improvement
We incorporate learnings into improvements to controls, processes, and monitoring. Every incident makes us stronger.
Availability & Maintenance
The Service may be unavailable at times due to maintenance, upgrades, or factors outside our control. We aim to maintain reasonable availability appropriate to the Service.
Your ownership certificates are timestamped declarations that exist independently of service availability. Even if MyDataKey were to go offline, your certificates remain valid as dated evidence of your data ownership declaration. You can verify any certificate at any time.
🔐 Report a Security Issue
We value the work of security researchers. If you’ve found a vulnerability, please report it responsibly.
Responsible Disclosure PolicyThis page describes high-level security practices and is not a guarantee of security. Detailed security documentation may be available under NDA for enterprise diligence. MyDataKey is operated by Own Your Data Inc., a 501(c)(3) nonprofit.