Security
Learn how VoteChain protects your data with end-to-end encryption, tamper-proof audit trails, and strict access controls to ensure every vote is secure and verifiable.
How we protect your data
- HTTPS (TLS) for all connections to VoteChain
- Optional two-factor authentication for your account
- Mobile apps: optional device biometrics (e.g. Face ID, fingerprint) where supported
- We follow POPIA and GDPR for personal data we process
- Tamper-evident vote reports you can verify independently (see below)
- Secure data centers
Report Authenticity & Verification
VoteChain reports are protected by multiple layers of cryptographic security to guarantee authenticity and prevent forgery. Every report can be independently verified by anyone, at any time.
Every report contains a unique verification code (Tc) computed from a SHA-256 hash of all vote data and voting window timestamps. Any modification to the underlying data produces a completely different code, making tampering immediately detectable.
Each report is cryptographically signed using a keyed-hash message authentication code (HMAC-SHA256) with a private signing key held exclusively on VoteChain servers. This signature proves the report was generated by VoteChain and has not been forged or altered.
Reports include a QR code linking to a tamper-proof signed URL. Anyone can scan the code or visit the link to independently verify the report against VoteChain's live records. The verification page confirms both data integrity and document authenticity.
Every page of a VoteChain report carries a visible watermark and a dedicated Document Integrity section containing the topic ID, generation timestamp, verification code, and full document signature for audit purposes.
How to verify a VoteChain report
- Open the report PDF and locate the QR code at the bottom.
- Scan the QR code with your phone or click the verification link.
- The verification page will confirm whether the report data and signature are authentic.
Vulnerability Disclosure Policy
VoteChain is committed to the security of our users and their data. We welcome responsible security research and will work with you to resolve any issues you find.
This policy applies to all VoteChain web applications, APIs, and mobile apps operated under the votechain.app domain. Third-party services, integrations, and partner platforms are out of scope.
Send vulnerability details to the email address listed below. Include a description of the issue, steps to reproduce, affected URLs or endpoints, and any supporting evidence such as screenshots or proof-of-concept code. Do not disclose the vulnerability publicly before we have resolved it.
We will acknowledge your report within 3 business days. Our security team will triage and assess the severity within 10 business days. We will keep you informed of our progress and notify you when the issue is resolved.
We will not pursue legal action against individuals who discover and report security vulnerabilities in good faith, in compliance with this policy. Good-faith research means you avoid privacy violations, data destruction, and service disruption during your testing.
We ask that you give us reasonable time to investigate and address the vulnerability before any public disclosure. We are committed to resolving confirmed vulnerabilities promptly and will coordinate with you on an appropriate disclosure timeline.
Out of Scope
- —Social engineering or phishing attacks against VoteChain staff or users
- —Denial-of-service (DoS/DDoS) attacks
- —Physical security testing
- —Vulnerabilities in third-party services or dependencies not controlled by VoteChain
- —Issues that require unlikely user interaction (e.g. self-XSS)
Report a Security Issue
If you discover a security vulnerability, please email us at [email protected] . We take all reports seriously and will work with you to investigate and resolve the issue.