Skip to main content
nuvouch

Security

Security users can trust.

Nuvouch makes sure every action is approved by the right user, on the right device — and that the answer can be cryptographically trusted by your platform. Here's how we do it.

The four guarantees
Right user
Verified identity
Right device
Trusted + registered
Right action
Scope-bound request
Right answer
Signed + auditable
01

Device-based approvals

Every decision is tied to a trusted, registered user device. Approvals cannot be initiated from an unregistered device, preventing account takeover and unauthorized responses.

  • Devices are registered during onboarding
  • Each device gets a unique cryptographic keypair
  • Approval requests are delivered only to registered devices
  • Lost or compromised devices can be revoked instantly
02

Signed, verifiable responses

Every approval or rejection is signed with Ed25519 on the user's device. The signature covers the full decision payload, making it tamper-evident and independently verifiable by your platform.

  • Ed25519 digital signatures
  • Signature covers decision + context + timestamp
  • Your platform verifies with the public key
  • Replay attacks prevented with nonce and expiry
03

Zero credential exposure

Sensitive credentials — private keys, biometric data — never leave the user's device. Nuvouch's architecture ensures that the approval infrastructure never has access to user secrets.

  • Private keys generated and stored on-device
  • Biometric verification stays in the device TEE
  • No passwords transmitted during approval
  • Server never sees or stores signing keys
04

Tamper-resistant audit logs

Every request and decision is recorded with verifiable integrity. The audit trail captures the full lifecycle — creation, notification, viewing, decision, and callback delivery — so you have a complete compliance record.

  • Full lifecycle audit: create → notify → view → decide → callback
  • Immutable log entries with integrity hashes
  • Exportable for compliance and regulatory review
  • Retention policies aligned with your requirements
Audit trail

Every step, recorded.

From the moment a request is created to the signed callback delivery, every event is logged with timestamps, actor identifiers, and integrity metadata. Built for compliance and forensics.

Audit trail · req_01HZ8K…
  1. 14:02:09.112request.createdAcme · AI Agent
  2. 14:02:09.184user.notifiedtrusted device
  3. 14:02:10.601user.viewedcontext shown
  4. 14:02:11.044user.approvedverified on device
  5. 14:02:11.092callback.signedreturned to acme.dev
Responsible disclosure

Found a vulnerability?

We take security seriously. If you believe you've found a security vulnerability in Nuvouch, please disclose it responsibly.

[email protected]

Security by design. Trust by default.

Every approval is device-bound, signed, and audited. Start building with confidence.

Get startedRead the docs ↗