Skip to content
Trust

Trust & Security

How we protect your payments, your account, your data, and the integrity of every certificate we issue — written plainly, and limited to what we actually do.

Last updated · June 12, 2026

01Payments are handled by Stripe

All card payments — certification enrollments, exam retakes, and the Vault — are processed by Stripe, a PCI-DSS Level 1 certified payment provider.

  • We never see, handle, or store your full card number; it goes directly to Stripe.
  • Checkout runs on Stripe's secured infrastructure.
  • We retain only a reference to the transaction, never raw payment credentials.

02Accounts and passwords

Your account is protected with modern, well-understood security:

  • Passwords are hashed with scrypt and a per-user salt — we never store them in plain text and cannot recover them.
  • Sessions use a signed, HttpOnly, Secure cookie with a server-enforced expiry; your raw password is never placed in the cookie.
  • Database access is default-deny (row-level security), so account records are unreachable by anonymous requests.
  • Sign-in and sign-up are rate-limited to resist automated attacks.

03Exam integrity

Certifications are graded so they can't be gamed by viewing the page source.

  • Exam answer keys never reach the browser — questions and options are sent to you, but the correct answers and explanations stay on the server and are returned only after you submit and pass.
  • Grading is performed server-side and recorded against your enrollment.
  • Module checkpoints are sequential and attempt-limited, and the final exam unlocks only after every checkpoint is passed.

04Verifiable, tamper-evident certificates

Every certificate we issue can be independently verified.

  • Each carries a unique, unguessable serial.
  • Its immutable fields are signed with an HMAC-SHA256 signature, so any later edit to the record is detected and the certificate reads as "not authentic."
  • Anyone can confirm a credential at digitalnetworks.ai/verify with no account, and revoked credentials are clearly flagged.

05Data and infrastructure

We build on established, attested infrastructure rather than rolling our own:

  • Hosting and delivery: Vercel.
  • Database and storage: Supabase (managed PostgreSQL) with row-level security.
  • Transactional email: Resend, sent from our verified domain.
  • Analytics are first-party and consent-gated — no third-party advertising trackers, and nothing is logged until you accept.

06Our compliance posture, stated honestly

We are not currently SOC 2 or ISO 27001 certified, and we don't claim to be. We inherit the security attestations of our infrastructure providers (Vercel, Supabase, Stripe, Resend) and design security into the product from the start. As the business matures we will pursue formal attestations and update this page.

For how we handle personal data and your rights, see our Privacy Policy, Cookie Policy, and Compliance pages.

Questions about this page? Email contact@digitalnetworks.ai.