Ambimat GroupAmbimatAmbiSecureSIMAuthAmbiAutomationEngineering BlogAhmedabad · India · Est. 1981
ASAmbiSecureHardware-rooted security
Contact
Trust center

Trust, certifications, and disclosures.

A single page that points buyers, auditors, and security teams at the documents that matter most when evaluating AmbiSecure: our certification posture, our standards conformance, our security model, our V2X / ITS trust posture, and our vulnerability-disclosure practice.

CERT

Certifications

What we are actively certified for, the standards we build to, certifications we are targeting, compliance frameworks we support, and the legacy trust badges — reproduced as-is.

View certifications →
STD

Standards conformance

FIDO U2F / FIDO2 / WebAuthn, JavaCard 3.x, GlobalPlatform 2.3.1, ISO 7816, ISO 14443, NIST SP 800-73, GSMA SGP.22 / SGP.32. Verifiable via our utility tools.

View technologies →
SEC

Security model

How AmbiSecure products achieve hardware-rooted assurance — secure-element silicon, applet firewall, SCP03 personalisation, attestation, lifecycle keys.

View about →

V2X / ITS trust posture

AmbiSecure's V2X / ITS work sits inside an explicit boundary: we supply the hardware-rooted identity primitives that connected-vehicle and roadside infrastructure depend on, and we integrate alongside the operators, OEMs, and PKI authorities that run the deployment. The trust posture below is what procurement, regulators, and OEM integrators need to know.

  • Hardware identity: the underlying secure-element silicon in AmbiSEC Module is CC EAL5+ certified at the chip level. Key isolation, ECDSA-P256 / P-384 acceleration, signed boot, and tamper-resistant storage all sit inside that boundary. See the IoT Security Co-Processor page for the silicon detail.
  • Standards alignment, not certification: the AmbiSEC Module integrated product is designed against IEEE 1609.2, ETSI TS 103 097, ETSI TS 102 941, ISO 21177, and TEC 31318:2021. These are design-alignment statements, not formal certifications of the integrated product. Automotive-grade certification (ISO 26262, ASPICE) of the integrated product is a target, not a present claim.
  • Secure provisioning: personalisation lines run under HSM-backed key custody with SCP03-equivalent wrapping, per-device serialisation, and audit-grade logging. The factory side of the V2X EC / PC lifecycle — the moment that determines whether a deployment has a defensible identity story — is operated to the same discipline as the FIDO and PIV personalisation lines.
  • Certificate lifecycle integrity: Enrolment Credentials live inside the secure element; Pseudonymous Certificate batches rotate under SE management; revocation material is distributed through the channel appropriate to the connectivity tier. See device identity at scale for the architectural treatment.
  • Offline trust environments: the V2X PC5 sidelink case — verification with no backhaul — is handled by the same hardware-isolation properties that hold at the chip level. CRL distribution via RSU broadcast is part of the architecture, not a bolted-on extension.
  • What we explicitly do NOT claim: AmbiSecure does not operate a V2X Root CA, does not ship turnkey OBU or RSU products, has not been endorsed by TRAI or any government authority, and does not disclose named customers or specific city deployments on the public site. The boundary is documented in writing.

Vulnerability disclosure

If you believe you have identified a security vulnerability in an AmbiSecure product, applet, validation server, or tool, we want to know about it before anyone else does.

  • How to report: Email support@ambimat.com with subject prefix [security-disclosure]. Include affected product / version, reproduction steps, observed impact, and your preferred handle for credit.
  • What we commit to: Acknowledge receipt within 3 business days. Initial assessment within 10 business days. Coordinated disclosure timeline agreed with the reporter.
  • Safe harbour: Researchers acting in good faith on this disclosure channel will not be subject to legal action by AmbiSecure for the reported research.
  • What is in scope: AmbiSecure products, applets, validation server, personalisation tooling, and the public AmbiSecure web property at ambisecure.ambimat.com.
  • What is out of scope: Denial-of-service of public infrastructure, social engineering of staff, attacks against customer deployments not run by AmbiSecure, and physical attacks against silicon partners’ supply chain (refer to those vendors directly).

Trust documents on request

Procurement-grade documents (per-product datasheets, SCP03 key-ceremony procedures, FIDO Certified product certificate IDs, vendor-security-questionnaire responses) are available under NDA. See the trust-documents list on the certifications page for the full menu.

Need a security or compliance review?

Tell us your evaluation framework, your timeline, and the documents you need. We respond within two business days.

Talk to our security team