The trust model
Architecture, not promises.
nullpay.’s privacy guarantee is enforced by how the system is built, not by a policy that could change.
How the architecture enforces privacy
01
Blind RSA signatures (RFC 9474)
NullPay signs your token without seeing it. When you redeem, the signature is valid but NullPay cannot recognize which signing session produced it. This is a property of the math, not a setting.
RFC 9474 ↗02
Structural data separation
Payment records (who paid, how much) and redemption records (which token, which service) are kept on separate servers with separate credentials. No shared key, no join path.
03
Batch processing
Redemptions queue in a threshold pool mix: batches fire only when enough real redemptions are waiting, padded with constant-rate cover traffic. Timing analysis cannot reliably correlate a payment to a redemption.
04
Open source
The protocol, the code, and the database schemas are published. The claims above are verifiable.
View source ↗The same cryptography, deployed at scale
Blind signatures are a 40-year-old technique, now standardized as RFC 9474. nullpay. didn’t invent them.
Apple
Private Access Tokens on iOS and macOS.
Cloudflare
Privacy Pass for private authentication.
GNU Taler
EU-funded, piloting with real banks.
These organizations use the same cryptographic primitive. They do not endorse or have any affiliation with NullPay.
RFC 9474 is proven and widely deployed. Our implementation of this protocol has not yet been independently audited. Until it is, the privacy guarantee depends on trusting our implementation. Closing this gap is our most important milestone.
Verification plan
Open source is the foundation. Independent audits are next. These steps are planned. None beyond open-sourcing are completed yet.
01
Open source
All code published. Crypto implementation, API, schemas.
Complete
02
Cryptographic audit
RFC 9474 compliance, blinding correctness, no side channels.
Planned — timeline TBD
03
Separation audit
Independent verification that no join path exists between stores.
Planned — timeline TBD
04
Transparency report
Published regularly. Every data request documented.
Planned — timeline TBD