Security & Compliance
Last updated: January 19, 2026
At Atelier Socle, security is not a feature β it's a foundation. Our SDKs are designed for the most demanding applications: banking, healthcare, retail, government.
Our Commitment
Zero External Dependencies
All our security SDKs (CryptoSecurityKit, RetailKit) use exclusively native Apple frameworks:
CryptoKit
Security.framework
LocalAuthentication
Why it matters:
No supply chain attack possible
Simplified audits (less code to review)
Apple-validated crypto implementations
Guaranteed compatibility with iOS updates
Auditable Code
| Metric | Value |
|---|---|
Unit & integration tests | 670+ |
DocC documentation guides | 100+ |
Audit event types | 27 |
External dependencies | 0 |
Modern Architecture
Actor-based β Thread-safety guaranteed by Swift compiler
Sendable β Secure transfer between execution contexts
Swift 6 ready β Prepared for language evolution
Implemented Standards
Cryptography
| Standard | Description | Our SDKs |
|---|---|---|
NIST FIPS 197 | AES (Advanced Encryption Standard) | β AES-256-GCM |
NIST FIPS 180-4 | SHA-2 (Secure Hash Algorithm) | β SHA-256, SHA-512 |
NIST FIPS 186-4 | ECDSA (Elliptic Curve Digital Signature) | β P-256 |
RFC 2104 | HMAC (Hash-based MAC) | β Constant-time |
RFC 5869 | HKDF (Key Derivation Function) | β Complete |
RFC 2898 | PBKDF2 (Password-Based KDF) | β 310K iterations |
RFC 8032 | Ed25519 (Edwards-curve DSA) | β Complete |
RFC 7748 | X25519 (Curve25519 ECDH) | β Complete |
Certificates & TLS
| Standard | Description | Our SDKs |
|---|---|---|
RFC 5280 | X.509 PKI (Certificate validation) | β ~85% |
RFC 6125 | Hostname verification | β ~95% |
RFC 7469 | HTTP Public Key Pinning | β 3 modes |
RFC 6960 | OCSP (Revocation checking) | β Via system |
RFC 6962 | Certificate Transparency | π In progress |
NIST SP 800-52 | TLS configuration | β TLS 1.2+ |
NIST SP 800-57 | Key management | β Compliant sizes |
Post-Quantum (iOS 26+)
| Standard | Description | Our SDKs |
|---|---|---|
NIST FIPS 203 | ML-KEM (Key Encapsulation) | π Roadmap Q3 2026 |
NIST FIPS 204 | ML-DSA (Digital Signatures) | π Roadmap Q3 2026 |
Regulatory Compliance
Enterprise Certifications β
| Certification | Status | Notes |
|---|---|---|
ISO 27001 | Architecture compliant | Audit-ready |
SOC 2 Type II | Architecture compliant | Built-in audit trail |
PCI-DSS | Crypto compliant | AES-256, key management |
GDPR | Privacy by design | On-device data |
eIDAS | Compatible | Qualified signatures possible |
Certification Roadmap
| Certification | Level | Timeline |
|---|---|---|
CSPN (ANSSI) | French first-level | 2027 |
Common Criteria EAL4+ | International | Long-term vision |
We are actively seeking partners and sponsors to accelerate the certification process. Contact us if you're interested.
Development Practices
Secure Development Lifecycle
Design β Threat modeling before each feature
Code β Mandatory code review, static analysis
Test β Unit tests, integration, fuzzing
Release β Package signing, verifiable checksums
Monitor β CVE monitoring, proactive updates
Vulnerability Management
If you discover a vulnerability in one of our SDKs:
Do not disclose publicly before fix
Contact us via our contact form
Include: description, reproduction steps, potential impact
Timeline: We commit to responding within 48 hours
We practice responsible disclosure and credit researchers who help us improve our SDKs.
Transparency
Open Source
Our SDKs are open source (Apache 2.0 or MIT depending on the project). The code is public, auditable by everyone.
GitHub: github.com/atelier-socle
Public Documentation
All our technical documentation is public:
Algorithms used
SDK architecture
Known threat models
Documented limitations
Security Changelog
Each release includes a detailed changelog with security fixes clearly identified.
Security FAQ
Are your SDKs audited?
Our SDKs are designed according to best practices and exclusively use Apple's crypto implementations (already audited). We are preparing an independent external audit for 2026-2027.
Why no certification today?
CSPN or Common Criteria certifications cost between β¬30,000 and β¬300,000. We are first building a solid foundation and seeking partners to fund these certifications. Become a sponsor.
Can I use your SDKs for a banking/healthcare application?
Yes, our SDKs are designed for these use cases. The architecture complies with ISO 27001, PCI-DSS requirements. However, your application's compliance also depends on your implementation and infrastructure.
How do I report a vulnerability?
Via our contact form. We respond within 48 hours and practice responsible disclosure.
Contact
For any questions regarding security or compliance:
Security contact: Contact form
General contact: Contact form
Certification partnerships: Contact us