BitSeal
bitseal.orygn.tech / legal / subprocessors
Effective June 4, 2026

# BitSeal subprocessors

Third-party providers that process data on BitSeal's behalf. The full data-processing relationship is described in the privacy policy. Material changes to this list will be reflected here, with the effective date updated above.

Amazon Web Services, Inc. (KMS)
role: Holds the Authority Ed25519 signing key in an AWS KMS HSM validated under FIPS 140-3 Security Level 3 (NIST CMVP Cert #4884, effective 2025-02-20, covering all AWS commercial and GovCloud regions including us-east-1 where the Authority key resides). On each seal, BitSeal calls the AWS KMS Sign API with the SHA3-512 digest of the canonical manifest (v2) or the 40-byte root+timestamp message (v1) and receives a 64-byte Ed25519 signature. The private key never leaves the HSM. AWS KMS therefore processes a digest derived from manifest fields (filename, mime_type, size_bytes, entropy, hashes, timestamps) but does not receive the plaintext manifest itself.
region: United States (AWS us-east-1).
legal: Standard Contractual Clauses for EEA/UK/CH transfers; AWS Data Processing Addendum.
policy: https://aws.amazon.com/compliance/data-privacy/
Vercel Inc.
role: Application hosting, edge delivery, serverless function execution. The serverless functions process every /api/seal and /api/verify request including the manifest payload before persisting to the ledger or returning a result.
region: United States, global edge network.
legal: Standard Contractual Clauses for EEA/UK/CH transfers.
policy: https://vercel.com/legal/privacy-policy
Vercel Inc. (Web Analytics)
role: Cookieless, aggregated page-view and performance analytics. Session identifier discarded after 24 hours.
region: United States.
legal: Standard Contractual Clauses for EEA/UK/CH transfers.
policy: https://vercel.com/docs/analytics/privacy-policy
Neon, Inc.
role: Managed Postgres for the canonical BitSeal ledger. Stores every seal manifest (filename, size_bytes, mime_type, hashes, signature, timestamps) and the adjacent OpenTimestamps proof bytes. Operates on AWS infrastructure under Neon's own contract with AWS.
region: United States (AWS us-east-2).
legal: Standard Contractual Clauses for EEA/UK/CH transfers.
policy: https://neon.tech/privacy-policy
Upstash, Inc.
role: Managed Redis for three abuse-defense functions on the BitSeal API. (1) Sliding-window rate limiting on /api/seal, /api/verify, and the well-known endpoint, keyed by client IP and (for seal) by X-API-Client value. (2) Proof-of-Work challenge backing store for /api/challenge: stores a random 32-byte challenge plus the issuing client IP and a 5-minute TTL, marked used after a successful seal. (3) Honeypot IP blocklist: any client IP that touches a known-bait endpoint is recorded for 24 hours and subsequently denied on /api/seal. No manifest content is sent to Upstash.
region: United States.
legal: Standard Contractual Clauses for EEA/UK/CH transfers.
policy: https://upstash.com/trust/privacy.pdf
Cloudflare, Inc. (CDN and edge proxy)
role: Network proxy in front of bitseal.orygn.tech. Sees every HTTP request: URL, method, IP address, User-Agent, TLS fingerprint, request headers. Operates the WAF and edge rate-limit rules. Distinct from the Turnstile bot-challenge service below.
region: United States, global edge network.
legal: Standard Contractual Clauses for EEA/UK/CH transfers.
policy: https://www.cloudflare.com/privacypolicy/
Cloudflare, Inc. (Turnstile)
role: Bot-detection challenge on submission and verification endpoints. Processes IP, TLS fingerprint, User-Agent, sitekey, origin.
region: United States, global edge network.
legal: Standard Contractual Clauses for EEA/UK/CH transfers.
policy: https://www.cloudflare.com/turnstile-privacy-policy/
OpenTimestamps calendar operators
role: Public Bitcoin-anchor calendars. BitSeal submits the SHA-256 of each seal's Ed25519 signature (32 bytes, no manifest content) to four independent calendars at seal time, which aggregate digests and commit them to the Bitcoin blockchain. Operators: Alice (Peter Todd), Bob (Peter Todd), Finney (Eternity Wall), Catallaxy.
region: Operator-distributed; calendar URLs are public.
legal: No DPA; data submitted is a one-way SHA-256 digest with no recoverable input.
policy: https://opentimestamps.org
mempool.space and Blockstream Corporation Inc.
role: Bitcoin block-header observers. The daily upgrade cron queries block heights and block times to record on the ledger; the BitSeal SDK queries them from the user's own machine to independently verify the Bitcoin anchor. Server-side calls send block heights only (no user data). Client-side calls originate from the user's own IP and are not on BitSeal's behalf.
region: Distributed.
legal: Public Bitcoin block-explorer services; no DPA.
policy: https://mempool.space
Google LLC (Analytics 4)
role: Privacy-respecting web analytics with EU consent-mode v2. Not currently active on bitseal.orygn.tech. Activation will trigger a fresh subprocessor entry on this page with an updated effective date before the integration goes live.
region: United States.
legal: EU-U.S. Data Privacy Framework (including UK and Swiss extensions).
policy: https://policies.google.com/privacy
Contact: [email protected]
Orygn LLC, a Texas limited liability company.