Zero-knowledge architecture

Security Architecture

Last updated: 27 May 2026

OneAddress is built on a zero-knowledge foundation. Your addresses are encrypted in your browser before they reach our servers, and partner payloads are encrypted with each partner's own key. Here's how every layer of the system protects your data.

The transmission flow

You enter your address

In your browser, on your device

Encrypted with your PIN

AES-256-GCM, key from PBKDF2

Stored in your encrypted vault

OneAddress stores ciphertext only

You select partners to notify

Choose which services to update

Re-encrypted with partner's key

ECDH + AES-256-GCM per partner

Signed and dispatched

HMAC-SHA256 webhook to partner endpoint

Partner decrypts with private key

Only they can read the address

Security layers

🔐

Client-side encryption

AES-256-GCM

Your vault is encrypted in your browser using a key derived from your PIN (PBKDF2 with 600,000 SHA-256 iterations — OWASP recommended). The plaintext never leaves your device. Not even OneAddress can read your addresses.

🔑

End-to-end key exchange

ECDH P-256

When transmitting to a partner, your address is encrypted with the partner's ECDH public key. A fresh ephemeral key is generated for each transmission. Only the partner's private key can decrypt the payload.

🛡️

Key derivation

HKDF-SHA256

The shared ECDH secret is processed through HKDF-SHA256 with a partner-specific info string to derive a unique AES-256 key per transmission. No two transmissions use the same encryption key.

✍️

Webhook authentication

HMAC-SHA256

Every webhook payload is signed with the partner's unique webhook secret using HMAC-SHA256. Partners verify the signature before processing. Replay protection via timestamp validation (5-minute window).

🔒

Transport security

TLS 1.3

All connections between your browser, OneAddress servers, and partner endpoints use TLS 1.3. HTTP Strict Transport Security (HSTS) is enforced.

🏛️

Australian data residency

Vault & DB — AU

Encrypted vault data, identity verification records, and transmission logs are stored in AWS Sydney (ap-southeast-2) via Neon (database) and Vercel (application, Sydney region). DNS managed by Cloudflare. Authentication is handled entirely by OneAddress using first-party infrastructure hosted in Australia. Payment data is processed by Stripe (United States), and transactional email by Resend (United States / EU) — see the Privacy Policy for full detail on each provider.

What we cannot do

Because of our zero-knowledge architecture, OneAddress cannot:

Read your addresses, even if compelled by court order — we don't have the decryption keys. Reset your vault PIN — only you know it. Access your vault data on our servers — it's encrypted ciphertext. Read the plaintext address payload after it is encrypted for a partner — it is encrypted with the partner's public key before leaving your browser. Modify address data during transmission — HMAC signatures detect tampering.

⚠ Lost your PIN? Because of our zero-knowledge design, we genuinely cannot recover your encrypted vault data. If you lose your PIN, you can reset your vault from Settings — this permanently deletes your encrypted data and lets you start fresh with a new PIN. Your account (email, payment history) is preserved. We strongly recommend storing your PIN in a secure password manager.

Identity verification

A government-document verification with a liveness selfie is mandatory before every address dispatch, on both the account and guest flows. It is performed by Global Data Pty Ltd, an Australian-accredited identity service provider based in Melbourne, and includes a Document Verification Service (DVS) cross-check with the issuing authority. One successful verification authorises exactly one address transmission; the next update requires a fresh check. On the account flow your vault PIN is also re-entered immediately before dispatch, so an attacker who somehow obtained your session would still be blocked by both your PIN and a fresh ID check. Full data-handling detail is in our Privacy Policy section 6.

Compliance

OneAddress is designed to comply with: the Privacy Act 1988 (Cth) and Australian Privacy Principles (APPs); the Notifiable Data Breaches (NDB) scheme; and general data protection best practices. Some of our partner organisations are subject to APRA prudential standards and financial-sector security requirements in their own right — our webhook security model (HMAC-SHA256 signing, ±5-minute replay window, ECDH per-partner key isolation) is designed to meet the security expectations those partners face. Our zero-knowledge architecture means a breach of our database would not expose any plaintext customer addresses.

Responsible disclosure

We welcome reports from security researchers acting in good faith. If you believe you have found a vulnerability in OneAddress, email security@oneaddress.io with a clear description and reproduction steps. We aim to acknowledge reports within 2 business days.

In scope: the customer application (oneaddress.io), the partner portal (partners.oneaddress.io), our published partner SDK, and our public API endpoints.

Out of scope: denial-of-service attacks, social engineering of OneAddress staff, physical attacks, and third-party services we depend on (Stripe, Neon, Resend, Cloudflare, Global Data, Vercel) — please report issues with those to the providers directly.

Safe harbour: we will not pursue legal action against researchers who act in good faith, do not access customer data beyond what is needed to demonstrate the vulnerability, and give us a reasonable opportunity to remediate before public disclosure.

Bug bounty: we do not currently run a paid bug bounty programme. We will publicly acknowledge researchers who report valid vulnerabilities (with their consent) once the issue has been remediated.

Questions about our security architecture?

security@oneaddress.io