air-gapped · open source Verify ↗ Request access →

The proof centre

Don't trust us. Check us

Open source, independent audits, reproducible builds, and a plain statement of what we can and cannot see.

Open source

The components, in source.

Every component is open and inspectable. Read the code rather than trust a claim about it. repositories — published at launch

OS · alpha

GuardTalkOS

The hardened, GrapheneOS-based build. repository — published at launch

 gateway

Gateway firmware

The bridge: kill switch, isolation, inspection. repository — published at launch

 messenger · beta

Messenger

No phone number, no vendor-readable server. repository — published at launch

 rules

Detection rule set

The Suricata / IOC rules, public. repository — published at launch

Independent audits

Independently audited, by an auditor we cannot name.

GuardTalk has undergone an independent third-party security audit. The auditor is not publicly named, at their request, for their safety. The scope and a summary of findings are available to serious evaluators on request.

What we can share

A serious evaluator can request the audit scope and summary directly. We hold back the auditor's identity to protect them, not to obscure the work.

An audit covers its stated scope at its stated date — not the whole system, and not forever.

Reproducible builds

Rebuild it, byte for byte.

The published artefacts are built reproducibly, so you can compile from source and confirm the binary you run matches the source you read — no trust in our build server required.

How to verify ↗

What this proves

If your build matches ours, no hidden change was inserted between the source and the binary you trust.

The detection rule set

The rules are public, too.

The Suricata and IOC rules the gateway runs against documented spyware families are published — so a researcher can read exactly what is detected, and what is not.

Browse the rule set ↗ repository — published at launchSee how the rules are used

What we can and cannot see

The honest data table.

The architecture decides this, not our goodwill. We hold no keys, so most of what a vendor could see, we cannot.

ItemCan we see it?Why
Your message contentsNoEnd-to-end encrypted; no vendor-readable server holds them.
Your device unlockNoThe biometric key is yours; we cannot unlock a device.
Your encryption keysNoWe hold none of them — there is nothing for us to surrender.
Fulfilment dataMinimalOnly what a shipment needs, handled minimally.
PaymentMoneroPrivate by default; no identity tied to a transaction.

The plain statement

We hold no keys. We cannot read your messages and cannot unlock your device — and there is no backdoor, shown in source repository — published at launch.

Responsible disclosure

Where to report a flaw.

A real product has real bugs. We publish a disclosure address and policy at /.well-known/security.txt so a researcher can reach us safely.

security.txt

The disclosure address and policy, machine-readable, at /.well-known/security.txtsecurity@guardtalk.io. read security.txt

Proof over promise.

Verify the builds and signatures yourself, then request access privately.

How to verify ↗Request access →