SECURITY · 2026

How we secure your record.

Carry is being built to UK Digital Identity and Attributes Trust Framework (DIATF) standards, with cryptographic credentials issued and held according to the W3C Verifiable Credentials specification.

The architecture. Credentials are issued by trusted parties (employers, certifying bodies, platforms), signed with their private keys, and stored in the worker's Carry wallet. Verifiers read directly from the wallet using SD-JWT with selective disclosure — they see only what the worker chooses to share. Carry the company sits outside the trust path: we do not hold the signing keys, we do not store the credential content, we do not act as an intermediary between issuer and verifier.

The roadmap.

· DIATF certification: targeting Q4 2026
· Independent penetration test: ahead of public V1
· SOC 2 Type I: alongside DIATF
· Bug bounty programme: at public launch
· Threat model and architecture diagrams: published on this page when ready

For security researchers and prospective enterprise customers, our current architecture brief is available on request: security@getcarry.co.uk.

If you believe you have found a vulnerability in this site or anywhere in the Carry stack, please email security@getcarry.co.uk with details. We will respond within two working days. A formal disclosure policy will be published before public launch.

IN DEVELOPMENT · ARCHITECTURE BRIEF AVAILABLE