Original Pictures

Security.

Original Pictures handles provenance metadata for media your platforms create. This page documents our conformance posture, certification progress, and how to reach us for security disclosures.

C2PA conformance

Our signing pipeline and verifier are implemented to the C2PA 2.x specification. Formal test-suite submission is in progress; the entries below reflect implementation status, not a passed conformance certificate.

ComponentSpec versionStatus
C2PA specification2.xImplemented
C2PA verifier (web app)2.xImplemented
CAWG Identity Assertion1.2Implemented

C2PA specification

The signing pipeline (claim generator, manifest builder, and trust-anchor chain) is implemented to the C2PA 2.x specification. Manifests produced by the API are readable by any conformant C2PA verifier including the CAI open-source tooling.

C2PA verifier (web app)

The public verifier at originalpictures.com/try/ parses C2PA manifests, validates the certificate chain against the C2PA Trust List, and surfaces provenance assertions in a structured UI.

CAWG Identity Assertion

The API can embed a CAWG Identity Assertion in every manifest, binding a Verifiable Credential to the signing identity at claim-generation time.

Certifications

SOC 2 Type II

In progress

Audit preparation is underway. Report not yet issued. Contact us for a timeline.

ISO 27001

Planned

Scoped for a subsequent audit cycle.

Security practices

Key management

Signing keys are stored in HSM-backed infrastructure. The API never handles your content credentials; it operates on hashes and manifests only.

Data minimisation

Asset bytes are processed in memory and not persisted beyond the API request. Manifest digests are retained for audit; raw media is not.

Dependency scanning

Supply-chain audits (npm audit, pip-audit, cargo audit) run on every CI build. SBOM in CycloneDX format is available on request.

Pen testing

Annual third-party penetration tests are conducted against the signing API and web surfaces. Summaries available under NDA for enterprise prospects.

Responsible disclosure

If you discover a security vulnerability in our systems, please email [email protected] with the subject line “Security disclosure”. We aim to acknowledge reports within one business day and to resolve confirmed vulnerabilities within 90 days. We do not operate a public bug-bounty program at this time; enterprise customers may request coordinated disclosure terms in their MSA.

Please do not disclose vulnerabilities publicly before we have had a reasonable opportunity to investigate and remediate.

Enterprise customers can request a security questionnaire, pen-test summary, or SBOM under NDA. Book a session and we will send the relevant documentation.

Book a demo →