What stays on your device
The original file or text never leaves the browser. SHA-256 hashing is performed locally using the Web Crypto API. Metadata extraction (EXIF, C2PA) also happens entirely client-side. The PDF certificate is generated in the browser.
What is transmitted
Only the 64-character SHA-256 hash (32 bytes) is transmitted through a server-side proxy to the CertiSigma API. No file content, no text content, no file name, and no metadata are sent to any server.
What is not stored
ExistBefore does not create user accounts, does not use cookies for tracking, does not store personal data, and does not log hash values on the proxy. The only data stored on CertiSigma servers is the attestation record: hash, timestamp, signature, and proof layer metadata.
Hash confidentiality
SHA-256 is a one-way function: the original content cannot be reconstructed from the hash. However, for short or predictable content (e.g., a single word, a serial number), the hash may be reversible through brute force. The PDF certificate includes a disclaimer about this limitation.
Sensitive metadata in the PDF
When attesting image files, ExistBefore may extract metadata such as GPS coordinates, device model, and camera settings. Before downloading the PDF, you can disable the inclusion of GPS and device information using the toggle controls. Excluded fields are replaced with "[Removed by user]" in the certificate.
API key security
The CertiSigma API key is stored on the server and injected by the proxy. It is never exposed to the browser, never included in JavaScript bundles, and never transmitted in client-side requests. The key is restricted by IP allowlist and limited to attestation-only scope.
No analytics tracking
ExistBefore does not use third-party analytics services that track individual users. No cookies, no fingerprinting, no advertising identifiers.