SecureRing's job is to make impersonation hard. Our architecture's job is to make sure we never hold more than we need.
SecureRing's verification keys are generated on your device using Ed25519, a modern digital-signature scheme. Your private key never leaves your device and is never uploaded to us. We only ever see your public key, which is safe to share and useless for impersonating you.
This means there is no central database of private keys for an attacker to steal. The thing that lets someone verify as you — your private key — lives only on hardware you control.
The safe word shown on a verified call isn't a password you memorize or a secret we store. It's generated on a SHA-256 hash chain that rotates automatically, so each verification uses a fresh value. There's nothing to forget, nothing to leak in a text message, and nothing an attacker can record once and replay.
All data is encrypted in transit and at rest, and retained only as long as needed or required by law. See the privacy policy for the full list.
Many services collect conversations and behavior to train models. SecureRing does the opposite: we collect too little to train on, we never sell data, and we never use your data for advertising. Our product is verification, not surveillance.
A few features depend on third-party infrastructure: video calls (Twilio), push notifications (Apple APNs / Google Firebase), and encrypted database storage (Supabase). Each is used under its own terms for the narrow function it performs — e.g., Twilio carries call streams in transit only and doesn't store content for us. See the privacy policy for the full sub-processor list.
No verification system is foolproof. SecureRing confirms that a caller's paired device held a valid shared key at the moment of verification — it does not confirm intent, truthfulness, or that the device hasn't been compromised. SecureRing is a supplemental aid, not a guarantee and not a substitute for emergency services or your own judgment. Always verify another way if anything feels wrong.