CoC Vault Data Security: How Is Your CoC Data Protected?

SHA-256 Hashing

Tamper-Evident Document Records

Every CoC PDF registered on CoC Vault is hashed using SHA-256 before it is stored. The hash is recorded on an immutable ledger — once recorded, it cannot be altered. This means that any attempt to alter the CoC PDF after registration will be detectable: the hash of the altered PDF will not match the hash recorded on CoC Vault.

The SHA-256 hash provides tamper-evident proof that the CoC PDF is authentic and has not been altered since it was registered. This is the core security feature of CoC Vault — it is what makes the verification URL trustworthy.

Storage Security

Cloudflare R2 and GCP Backup

CoC PDFs are stored on Cloudflare R2, a globally distributed object storage service. Cloudflare R2 provides AES-256 encryption at rest and TLS encryption for all data in transit. The R2 bucket is configured with private access — CoC PDFs are not publicly accessible and can only be accessed by authenticated users.

In addition to Cloudflare R2, CoC PDFs are backed up to Google Cloud Platform (GCP) storage buckets in two regions: africa-south1 (Johannesburg) and eu-west1 (Belgium). The africa-south1 backup satisfies POPIA's requirement that personal data be stored or backed up within South Africa. The eu-west1 backup provides redundancy in case of a regional outage.

The GCP backup is non-blocking — it does not delay the minting process. It runs asynchronously after each successful CoC registration.

Data Handling Policies

What CoC Vault Does and Does Not Do With Your Data

CoC Vault stores the CoC PDF and the metadata provided during registration. This data is used only for the purpose of providing the verification service — it is not sold, shared with third parties, or used for any purpose other than CoC verification.

CoC Vault does not share CoC data with SABS, NRCS, SARS, or any government agency. The verification URL is public — anyone who has the URL can view the CoC metadata — but the URL is only shared with parties that the importer chooses to share it with (their clearing agent, SARS Customs, etc.).

The full data handling policy is set out in the Privacy Policy at certificatesofconformity.co.za/privacy. The Privacy Policy complies with POPIA (South Africa's Protection of Personal Information Act) and GDPR (the EU General Data Protection Regulation).

Data Retention

How Long CoC Records Are Kept

Vault subscribers have permanent storage of CoC PDFs and verification records. Non-subscribers' CoC PDFs are deleted after 30 days, but the verification record (hash, metadata, and verification URL) is retained permanently.

SARS requires importers to keep customs records for a minimum of 5 years. Vault subscribers' CoC records are retained for at least 5 years, satisfying this requirement. Non-subscribers should maintain their own secure backup of CoC PDFs.