Security

Security practices, responsible disclosure, and legal recognition

Hardening stack

• Transport — TLS 1.2+ only, HSTS (1 year, includeSubDomains, preload).
• HTTP — Helmet with strict Content-Security-Policy, X-Frame-Options: DENY (frame-ancestors 'none'), Referrer-Policy strict-origin-when-cross-origin.
• Input — express-mongo-sanitize + xss-clean + hpp. Certificate IDs, hashes, and tokens are format-validated before any DB touch.
• Rate limiting — 100 requests / 15 min / IP globally, with tighter limits on authentication and OTP endpoints.
• Secrets at rest — PII (IP, device fingerprint, geolocation) encrypted with AES-256-GCM using keys derived from a rotated master secret.
• Signing — PAdES B-LTA (ETSI EN 319 142) dual-leaf, eMudhra Class 2 Document Signer (CCA India), RFC 3161 timestamping across 11 independent authorities (3 eIDAS Qualified).
• Integrity — MongoDB audit_logs is append-only with a SHA-256 hash chain; daily Merkle roots anchored to Bitcoin via OpenTimestamps.
• Backups — MongoDB Atlas continuous snapshots; Arweave permanent archive for certificates (200+ year retention).

Reporting a vulnerability

Email security@talantoncore.in with reproduction steps. We acknowledge within 48 hours and aim to patch within 14 days for high-severity issues. See /.well-known/security.txt for the machine-readable version.

Out of scope

• Social engineering of SwaLay staff.
• Physical attacks on our infrastructure partners (AWS, MongoDB Atlas).
• Denial-of-service attacks (please do not attempt).

Jurisdictional recognition of issued certificates

Every Lyrics D.N.A™ certificate carries legal weight under the following frameworks; no additional registration is required for the certificate itself (govt Copyright Office registration remains a separate process which we do not replace):

• 🇮🇳 India — Information Technology Act, 2000 §3A (Secure Electronic Signature) + §85B (presumption of validity); Bharatiya Sakshya Adhiniyam, 2023 §63(4)(c) (statutory electronic-evidence certificate is shipped alongside every cert); Copyright Act, 1957 §§51/55/63. Signing certificate is CCA India licensed (eMudhra Class 2 Document Signer).
• 🇪🇺 European Union — eIDAS Regulation (EU 910/2014) §26: our signatures are Advanced Electronic Signatures (AES). Three of our eleven RFC 3161 TSAs are eIDAS Qualified (APED Greece, Belgium eID, Portugal SCEE), so each cert carries Qualified Electronic Timestamps (QTS) under Art. 42. For strict QES-tier signatures (Art. 25(2)) a parallel EU-listed QTSP subscription is available on request.
• 🇺🇸 United States — Electronic Signatures in Global and National Commerce Act (E-SIGN Act 2000, 15 U.S.C. §7001 et seq.) + Uniform Electronic Transactions Act (UETA, adopted by 48 states). Our electronic signatures are legally equivalent to handwritten signatures. Digital Millennium Copyright Act §512 take-down notices are accepted when issued via our Legal Notice template.
• 🇬🇧 United Kingdom — Electronic Communications Act 2000 §7; broad acceptance of electronic signatures in UK civil and commercial proceedings.
• 🌍 Berne Convention for the Protection of Literary and Artistic Works (1886) — automatic copyright protection in all 181 signatory countries. India has been a signatory since 1928. The certificate is admissible as evidence of first use and authorship claim.

How to verify a Lyrics D.N.A™ certificate PDF

Every issued certificate carries four cryptographic signatures: two CAdES-detached content signatures (Tier 1a eMudhra Class 2 DS + Tier 1b SwaLay Platform Authority) and two RFC 3161 document-timestamp signatures from DigiCert. If you open one in Adobe Reader and the signature panel shows yellow warning triangles, here’s what they mean:

• Tier 1a (eMudhra “DS TALANTONCORE LLP 1”) — yellow ‼ expected briefly on first open: Adobe is fetching revocation info over the network. After the OCSP fetch finishes (usually within seconds on a live network), the icon turns green. If it doesn’t, right-click the signature → Signature Properties → Show Signer’s Certificate → Trust tab → Add to Trusted Certificates. eMudhra is already on Adobe’s AATL, so full trust is one click away. This signature is the legally authoritative one under IT Act 2000 §3A.
• Tier 1b (SwaLay Digital Platform Authority) — yellow ‼ by design: This signature is issued by our internal Platform Authority CA, not a publicly-trusted root. It’s a platform-level attestation from SwaLay Digital, not a replacement for Tier 1a’s legal signature. Enterprise verifiers who want this signature to also show green can download our root CA below and import it into Adobe’s Trusted Identities (one-time, per machine).
• DigiCert timestamp signatures — always green: DigiCert is in Adobe’s AATL by default. No setup needed.

Download our Platform Root CA: verify.talantoncore.in/.well-known/platform-root-ca.crt
Import in Adobe: Edit → Preferences → Signatures → Identities & Trusted Certificates → Trusted Certificates → Import → check “Use this certificate as a trusted root” + “Certified documents.” One-time per machine.

Important: the yellow warnings have no legal significance. They’re Adobe’s way of saying “this signer isn’t in my pre-loaded trust list” — they’re not saying the signature is invalid. The cryptographic signatures are mathematically valid regardless of your trust-store state, and any standards-compliant validator (pyhanko, EU DSS Demo Tool, veraPDF, Foxit) will confirm this offline using the long-term validation data (DSS) embedded in the PDF.

Apostille (Hague Convention 1961)

For use in foreign civil or criminal proceedings, the Lyrics D.N.A™ certificate and its accompanying Section 63(4)(c) companion document can be apostilled by the Ministry of External Affairs (MEA), Government of India, which is the designated competent authority under the Hague Convention of 5 October 1961 Abolishing the Requirement of Legalisation for Foreign Public Documents.

Apostille request process:

1. Contact ip@talantoncore.in with the certificate ID and the foreign jurisdiction where you intend to use it.
2. We provide a notarized printout of the electronic certificate + its Section 63(4)(c) declaration.
3. You submit these to the MEA's Apostille section (via the e-Sanad portal or in person at CPV Division, New Delhi) for apostille stamping. Current MEA apostille fees are nominal (~INR 50–100 per document).
4. Once apostilled, the certificate is recognized as a foreign public document in all 125+ Hague Convention signatory countries (including US, UK, EU member states, Australia, Japan, etc.) without further consular authentication.

We do not pre-generate apostilles because they must be issued within six months of use, must be issued per-case, and the MEA requires the physical document. This is standard practice for all Indian electronic evidence.