Security.
Original Pictures handles provenance metadata for media your platforms create. This page documents our conformance posture, certification progress, and how to reach us for security disclosures.
C2PA conformance
Our signing pipeline and verifier are implemented to the C2PA 2.x specification. Formal test-suite submission is in progress; the entries below reflect implementation status, not a passed conformance certificate.
| Component | Spec version | Status |
|---|---|---|
| C2PA specification | 2.x | Implemented |
| C2PA verifier (web app) | 2.x | Implemented |
| CAWG Identity Assertion | 1.2 | Implemented |
C2PA specification
The signing pipeline (claim generator, manifest builder, and trust-anchor chain) is implemented to the C2PA 2.x specification. Manifests produced by the API are readable by any conformant C2PA verifier including the CAI open-source tooling.
C2PA verifier (web app)
The public verifier at originalpictures.com/try/ parses C2PA manifests, validates the certificate chain against the C2PA Trust List, and surfaces provenance assertions in a structured UI.
CAWG Identity Assertion
The API can embed a CAWG Identity Assertion in every manifest, binding a Verifiable Credential to the signing identity at claim-generation time.
Certifications
SOC 2 Type II
In progressAudit preparation is underway. Report not yet issued. Contact us for a timeline.
ISO 27001
PlannedScoped for a subsequent audit cycle.
Security practices
Key management
Signing keys are stored in HSM-backed infrastructure. The API never handles your content credentials; it operates on hashes and manifests only.
Data minimisation
Asset bytes are processed in memory and not persisted beyond the API request. Manifest digests are retained for audit; raw media is not.
Dependency scanning
Supply-chain audits (npm audit, pip-audit, cargo audit) run on every CI build. SBOM in CycloneDX format is available on request.
Pen testing
Annual third-party penetration tests are conducted against the signing API and web surfaces. Summaries available under NDA for enterprise prospects.
Responsible disclosure
If you discover a security vulnerability in our systems, please email [email protected] with the subject line “Security disclosure”. We aim to acknowledge reports within one business day and to resolve confirmed vulnerabilities within 90 days. We do not operate a public bug-bounty program at this time; enterprise customers may request coordinated disclosure terms in their MSA.
Enterprise customers can request a security questionnaire, pen-test summary, or SBOM under NDA. Book a session and we will send the relevant documentation.
Book a demo →