Server room cybersecurity
Security Architecture

Bank-Grade Security.
Zero Tolerance.

Property rights are high-stakes. Righthium is built on the assumption that every component will be attacked — and designed to make that attack pointless. AES-256-GCM encryption. Blockchain anchoring. Immutable audit trails.

🔐
AES-256-GCM
Encryption at rest
Polygon Network
Blockchain anchored
🛡
SOC2-Ready
Infrastructure controls
📋
Immutable Audit
Every event recorded

Security Architecture

Five Layers of Institutional-Grade Defense

Security is not a feature at Righthium — it is the product. Every layer is designed for the threat model of institutional property data.

Layer 01 — Data Encryption

AES-256-GCM Encryption

All sensitive data stored in Righthium — OAuth tokens, service credentials, private keys, and sensitive metadata — is encrypted using AES-256-GCM with unique initialization vectors per record.

AES-256-GCM is the gold standard for authenticated encryption, providing both confidentiality and integrity in a single operation. GCM mode means any tampering with encrypted data is instantly detectable — not just prevented. All network connections enforce TLS 1.3 minimum with HSTS.

Algorithm
AES-256-GCM
Authenticated encryption with unique IV per record
Transport
TLS 1.3
Enforced minimum — no downgrade to TLS 1.2
Cryptographic security
🔐
256-bit key strength
Computationally infeasible to brute-force with any known technology
Blockchain network visualization
Polygon Network
Energy-efficient EVM blockchain with institutional adoption track record
Layer 02 — Blockchain Anchoring

Immutable Records on Polygon

Every token issuance, transfer, verification, and deactivation is anchored on the Polygon blockchain. These records are not controlled by Righthium — they exist independently on a decentralized network and cannot be altered, deleted, or obscured by anyone.

Polygon was chosen for institutional deployment for three reasons: it is EVM-compatible (compatible with the Ethereum ecosystem), energy-efficient (proof-of-stake, not proof-of-work), and battle-tested at enterprise scale with billions of dollars of assets secured. On-chain records are verifiable without Righthium's platform — the data persists even if Righthium ceased operations tomorrow.

  • No single point of failure — distributed across thousands of nodes
  • Records persist independently of Righthium's platform
  • Cryptographic finality — chain reorgs cannot modify confirmed records
  • Publicly auditable — any party can independently verify
Layer 03 — Authentication & Access

JWT Authentication with Role Claims

Authentication is enforced via JWT tokens carrying company_id and role claims. Tokens are short-lived and rotated on any privilege change. No shared credentials exist in the system — every action is attributable to a specific user and role.

Role-based access control enforces least-privilege at every layer. A compliance officer cannot issue tokens. An operations staff member cannot access audit exports. Each role has a precisely defined set of permitted operations — and the system rejects anything outside that scope at the API layer, not just the UI layer.

Auth Type
JWT + RBAC
Short-lived tokens with company_id and role claims
Shared Credentials
Zero
Every action attributable to a specific user and role
Authentication and access control
Database security
Layer 04 — Database Security

Parameterized Queries. Zero SQL Injection.

Every database query is parameterized. SQL injection is a class of vulnerability that Righthium eliminates at the architecture level — not through input sanitization, which can fail, but through parameterized queries, which cannot be exploited regardless of input content.

The database layer uses Neon PostgreSQL — a serverless, enterprise-grade PostgreSQL instance with automated backups, connection pooling, and point-in-time recovery. Connection strings are never exposed to application code via environment variable leakage — the sandbox provider enforces strict env isolation for all agent execution.

  • 100% parameterized queries — SQL injection architecturally impossible
  • Neon PostgreSQL with point-in-time recovery
  • Credential isolation — DATABASE_URL never accessible to user-facing code
  • Automated daily backups with 30-day retention
Layer 05 — Audit Trail

Complete History. Nothing Overwritten.

The worst thing a property platform can do for audit purposes is overwrite state. "Last updated" timestamps destroy history. "Current status" columns erase the path that led there. Righthium never overwrites — every state change is recorded as an immutable event.

Every property action — issuance, transfer, verification, renewal, deactivation — is recorded as an event with timestamp, actor, and full context. Events are append-only in the database and mirrored on-chain. Regulators, courts, and auditors get a complete, cryptographically signed history of every property interaction — with zero data gaps.

Event Model
Append-Only
No state overwrites — every transition permanently recorded
Mirror
On-Chain
Database events mirrored on Polygon — double-redundant immutability
Audit trail records
Zero-Trust Verification

Every Token. Every Transaction.
Every Record. Independently Verifiable.

Zero-Trust means you never have to take anyone's word for it. Every property record on Righthium is stamped onto a public blockchain — a permanent, tamper-proof ledger that anyone can check at any time.

Step 01

BLAKE3 Cryptographic Hashing

Every document is processed through BLAKE3 — a modern cryptographic hash function producing a 256-bit output. The hash is deterministic: the same document always produces the same hash. Change one byte, and the hash changes completely and irreversibly.

Hash Properties
  • 256-bit output — computationally infeasible to reverse
  • Collision-resistant — no two documents produce the same hash
  • Incremental — can recompute from any byte position
  • Verified at any time — recompute locally, compare on-chain
Step 02

Polygon Blockchain Anchoring

The document hash is submitted to the Polygon blockchain as an immutable transaction. The hash is stored permanently on-chain, timestamped at block confirmation. The anchor cannot be altered, deleted, or backdated by any party — including Righthium.

Anchor Properties
  • Immutable — no single party can modify or delete the anchor
  • Decentralized — verified across thousands of Polygon nodes
  • Timestamp-bound — block number and timestamp are permanent
  • Survives platform failure — records persist independently of Righthium
Step 03

Independent PolygonScan Verification

Verify the anchor directly on PolygonScan — the public Polygon block explorer. No account, no API key, no Righthium credentials needed. Recompute the document hash locally, compare it to the on-chain anchor, and confirm independently.

Verification Properties
  • Trustless — no trust required in Righthium or any counterparty
  • Public — anyone with internet access can verify
  • Non-interactive — no permission required to verify
  • Reproducible — recompute the BLAKE3 hash locally and compare

What Does Zero-Trust Mean, Plainly?

Traditional systems ask you to trust the platform: "Trust that our records are accurate. Trust that our database hasn't been altered. Trust that we're telling the truth."

Zero-Trust Verification removes the need for trust entirely. Every property record on Righthium is stamped onto a public blockchain — a permanent, tamper-proof ledger that anyone can check at any time. Click the link, see the proof. No middleman, no "just trust us."

Think of it like a notarized document that the entire internet can verify in seconds — without a notary, without Righthium, without any single point of trust.

Compliance Posture

Built for Regulated Environments

Our architecture is designed for institutions that operate under regulatory scrutiny — where security documentation is not optional.

🛡

SOC2-Ready

Infrastructure controls aligned to Trust Services Criteria. Formal SOC2 Type II certification in progress. Documentation package available for Enterprise clients.

🔒

GDPR-Aligned

Data processing designed with privacy by default. Clear data retention policies, right-to-erasure processes (except blockchain records, which are immutable by design and necessity).

📋

Audit-Ready Exports

One-click audit log exports in regulator-compatible formats. Every event includes actor, timestamp, action, and context. Enterprise clients get unlimited export history.

🔍

Responsible Disclosure

We operate a responsible security disclosure program. Security researchers who find vulnerabilities can report them — we investigate and respond within 48 hours. See our security disclosure policy.

Security FAQ

Security Questions

What happens if Righthium is compromised?

On-chain records are independent of Righthium's platform and cannot be affected by a compromise of our infrastructure. Your token records exist on the Polygon blockchain regardless of what happens to our servers. Encrypted credentials cannot be decrypted without the encryption key, which is stored separately from the data.

Can tokens be forged or duplicated?

No. Each token carries a cryptographic signature from the issuing institution. Forging a token requires the issuer's private key — which is AES-256-GCM encrypted and never transmitted in plaintext. Any forgery attempt produces a signature mismatch that is instantly detectable by the verification API.

How are API keys secured?

API keys are hashed before storage — we store the hash, not the key. A compromised database reveals no usable API keys. Keys can be rotated instantly from the dashboard, which immediately revokes all existing sessions using the old key.

Can Righthium modify or delete our records?

Records anchored on the blockchain cannot be modified or deleted by Righthium or anyone else — that is the property of a blockchain. Database records are append-only. We have no mechanism to retroactively alter your institutional records, and we commit to never attempting to do so.

Institutional property

Security First

Security Documentation Available for Enterprise

Need our full security documentation package for your compliance review? Enterprise clients receive our complete security controls documentation, architecture diagrams, and SOC2 readiness assessment.

Register Your Institution Request Security Docs →