Zero-knowledge architecture

Security Architecture

Last updated: 12 April 2026

OneAddress is built on a zero-knowledge foundation. We never see your addresses in plaintext. Here's how every layer of the system protects your data.

The transmission flow

You enter your address

In your browser, on your device

Encrypted with your PIN

AES-256-GCM, key from PBKDF2

Stored in your encrypted vault

OneAddress stores ciphertext only

You select partners to notify

Choose which services to update

Re-encrypted with partner's key

ECDH + AES-256-GCM per partner

Signed and dispatched

HMAC-SHA256 webhook to partner endpoint

Partner decrypts with private key

Only they can read the address

Security layers

🔐

Client-side encryption

AES-256-GCM

Your vault is encrypted in your browser using a key derived from your PIN (PBKDF2 with 600,000 SHA-256 iterations — OWASP recommended). The plaintext never leaves your device. Not even OneAddress can read your addresses.

🔑

End-to-end key exchange

ECDH P-256

When transmitting to a partner, your address is encrypted with the partner's ECDH public key. A fresh ephemeral key is generated for each transmission. Only the partner's private key can decrypt the payload.

🛡️

Key derivation

HKDF-SHA256

The shared ECDH secret is processed through HKDF-SHA256 with a partner-specific info string to derive a unique AES-256 key per transmission. No two transmissions use the same encryption key.

✍️

Webhook authentication

HMAC-SHA256

Every webhook payload is signed with the partner's unique webhook secret using HMAC-SHA256. Partners verify the signature before processing. Replay protection via timestamp validation (5-minute window).

🔒

Transport security

TLS 1.3

All connections between your browser, OneAddress servers, and partner endpoints use TLS 1.3. HTTP Strict Transport Security (HSTS) is enforced.

🏛️

Data sovereignty

Australia only

All data is stored in AWS Sydney (ap-southeast-2). Database hosted on Neon (AWS Sydney). Application hosted on Vercel (Sydney region). DNS managed by Cloudflare with Australian presence. No data leaves Australian jurisdiction.

What we cannot do

Because of our zero-knowledge architecture, OneAddress cannot:

Read your addresses, even if compelled by court order — we don't have the decryption keys. Reset your vault PIN — only you know it. Access your vault data on our servers — it's encrypted ciphertext. Read address payloads in transit to partners — they're encrypted with the partner's public key. Modify address data during transmission — HMAC signatures prevent tampering.

⚠ Lost your PIN? Because of our zero-knowledge design, we genuinely cannot recover your encrypted vault data. If you lose your PIN, you can reset your vault from Settings — this permanently deletes your encrypted data and lets you start fresh with a new PIN. Your account (email, payment history) is preserved. We strongly recommend storing your PIN in a secure password manager.

Identity verification

Your vault PIN is required before every address update dispatch. This prevents unauthorised changes even if your account is accessed by someone else. We are integrating government document verification and liveness detection as an additional layer before dispatch — this will be mandatory before public launch.

Compliance

OneAddress is designed to comply with: the Australian Privacy Act 1988 (Cth) and Australian Privacy Principles (APPs); the Notifiable Data Breaches (NDB) scheme; APRA prudential standards for partners in regulated industries; and general data protection best practices. Our zero-knowledge architecture means a data breach of our servers would not expose any plaintext customer addresses.

Responsible disclosure

We welcome reports from security researchers acting in good faith. If you believe you have found a vulnerability in OneAddress, email security@oneaddress.io with a clear description and reproduction steps. We aim to acknowledge reports within 2 business days.

In scope: the customer application (oneaddress.io), the partner portal (partners.oneaddress.io), our published partner SDK, and our public API endpoints.

Out of scope: denial-of-service attacks, social engineering of OneAddress staff, physical attacks, and third-party services we depend on (Clerk, Stripe, Neon, Resend, Cloudflare, Global Data, Vercel) — please report issues with those to the providers directly.

Safe harbour: we will not pursue legal action against researchers who act in good faith, do not access customer data beyond what is needed to demonstrate the vulnerability, and give us a reasonable opportunity to remediate before public disclosure.

Bug bounty: we do not currently run a paid bug bounty programme. We will publicly acknowledge researchers who report valid vulnerabilities (with their consent) once the issue has been remediated.

Questions about our security architecture?

security@oneaddress.io