White-Label: Rebrandable Security Infrastructure
Deploy PRIVATE.ME's complete cryptographic platform under your brand. Full ACI stack, your identity. XorIDA threshold security, post-quantum protection, and information-theoretic guarantees — delivered as your product, your API, your compliance certifications.
Executive Summary
White-Label enables partners, integrators, and enterprises to deploy the entire PRIVATE.ME security platform under their own brand identity — from logo and color scheme to domain names and compliance documentation.
The platform provides complete infrastructure rebranding: your company presents the XorIDA threshold security layer, 140 ACIs, post-quantum cryptography, and information-theoretic guarantees as your own intellectual property. PRIVATE.ME remains invisible to your end customers while providing continuous updates, security patches, and compliance inheritance.
Three deployment modes serve different go-to-market strategies: SaaS White-Label (managed infrastructure, fastest launch), Hybrid Private Cloud (partner infrastructure with PRIVATE.ME control plane), and Full On-Premise (complete transfer, enterprise buyers, air-gapped deployments).
Unlike traditional licensing that stops at API access, White-Label delivers the complete stack: SDK documentation under your domain, enterprise CLI tools with your branding, security certifications listing your company, marketing collateral you can modify, and customer success playbooks you can rebrand.
Partners maintain the customer relationship, set pricing, control go-to-market, and capture primary revenue. PRIVATE.ME charges via infrastructure fees (SaaS model) or perpetual licensing (on-premise). Compliance certifications cascade automatically: when PRIVATE.ME achieves FedRAMP High, your white-labeled platform inherits it within 24 hours.
Developer Experience
White-Label provides complete rebrand control through configuration files, CI/CD pipelines, and automated documentation generation — zero manual rebranding labor.
Brand Configuration File
All visual identity, naming, and domain configuration lives in a single YAML manifest. Change your company name, logo URLs, color palette, taglines, and support contact — regenerate the entire platform in minutes.
brand: name: "SecureCorp" tagline: "Enterprise Zero-Trust Security" logo_url: "https://cdn.securecorp.com/logo.svg" primary_color: "#0052CC" accent_color: "#36B37E" domains: api: "api.securecorp.com" docs: "docs.securecorp.com" registry: "registry.securecorp.com" legal: company_name: "SecureCorp Inc." privacy_url: "https://securecorp.com/privacy" terms_url: "https://securecorp.com/terms" support_email: "support@securecorp.com" deployment: mode: "saas" # saas | hybrid | on-premise region: "us-east-1" compliance: ["SOC2", "ISO27001", "HIPAA"]
Automated Rebuild Pipeline
Every white-label deployment includes a GitOps pipeline that regenerates all artifacts when the config file changes. Documentation sites, SDK packages, CLI binaries, API responses, error messages, and compliance PDFs all rebrand automatically.
# Commit updated config git commit -m "Update brand colors and logo" white-label-config.yaml git push origin main # Automated pipeline: # 1. Rebuild SDK documentation with new branding # 2. Recompile CLI tools with updated help text # 3. Update API error messages and headers # 4. Regenerate compliance documentation PDFs # 5. Deploy to staging environment # 6. Run integration tests # 7. Promote to production # Total time: ~12 minutes from commit to production
Zero PRIVATE.ME References
The rebrand is absolute. No SDK import paths mention @private.me. No error stack traces leak the underlying provider. No HTTP headers expose PRIVATE.ME infrastructure. Customers see only your brand.
The Problem
Building cryptographic infrastructure from scratch requires 5-10 person-years, continuous security research, compliance certifications costing $500K-$2M, and a team that understands post-quantum migration paths.
Enterprises want to own the customer relationship. When you deploy a third-party security SDK, your customers see another company's brand in documentation, support emails, compliance reports, and API responses. You become a reseller, not a platform provider.
Compliance certifications don't transfer. If PRIVATE.ME achieves FedRAMP High, that certification applies to PRIVATE.ME infrastructure — not to your product. Your enterprise customers require certifications listing your company as the assessed entity.
Building in-house is impractical. Implementing XorIDA threshold sharing, post-quantum hybrid KEMs, information-theoretic security proofs, and 140 ACIs requires deep cryptographic expertise, formal verification, and years of iteration. The talent doesn't exist at most companies.
| Approach | Time to Market | Annual Cost | Brand Control | Compliance Ownership |
|---|---|---|---|---|
| Build In-House | 5-10 years | $5M-$15M | Full | Owned |
| Third-Party SDK | 3-6 months | $100K-$500K | None | Not transferable |
| White-Label | 2-4 weeks | $250K-$1M | Complete | Cascades automatically |
The Traditional Path (Broken)
White-Label Path (Fixed)
Real-World Use Cases
Six partner profiles where White-Label delivers immediate ROI.
Launch a "YourBank Secure Messaging" product without building cryptography in-house. Offer split-channel secure messaging to commercial clients under your brand. Compliance certs list your bank.
SaaS White-LabelAdd "HealthTech Secure Exchange" to your EHR platform. HIPAA compliance inherited from PRIVATE.ME but listed under your company. Customers see your brand, not ours.
Hybrid DeploymentDeploy on JWICS/SIPRNet under your prime contract. Full on-premise, air-gapped. FedRAMP High certification cascades. You control all infrastructure, branding, and customer relationship.
Full On-PremiseAWS/Azure/GCP partners can offer "CloudPlatform SecureConnect" as a native service. Your logo, your billing, your support — PRIVATE.ME invisible in backend.
SaaS White-LabelCRM/ERP vendors add encrypted messaging as a premium tier. "Salesforce Vault Messaging" or "SAP Secure Channel" — white-labeled XorIDA security under partner brand.
Hybrid DeploymentEU/Middle East/Asia integrators deploying sovereign infrastructure. "NationalCloud Secure" — fully localized, compliance aligned with regional regulations, zero US infrastructure visibility.
Full On-PremiseSolution Architecture
Three deployment models, one codebase. Partners choose infrastructure ownership level based on customer requirements and go-to-market strategy.
What Gets Rebranded
| Component | Rebrand Scope | Automation |
|---|---|---|
| SDK Packages | Import paths, package names, npm registry | Automated |
| Documentation | Logo, colors, company name, support links | Automated |
| CLI Tools | Binary names, help text, version strings | Automated |
| API Responses | Error messages, headers, metadata | Automated |
| Compliance Reports | SOC 2, ISO, FedRAMP PDFs with partner name | Automated |
| Marketing Collateral | White papers, case studies, data sheets | Partner customization |
| Customer Support | Email templates, knowledge base, chatbot | Partner customization |
Branding System
Visual identity, naming conventions, and legal entity configuration managed through a single source of truth.
Brand Asset Pipeline
Logo files, color palettes, typography settings, and design tokens flow through an automated build system. Upload your SVG logo and hex colors once — every SDK package, documentation page, CLI help screen, and API error message adopts your brand automatically.
Multi-Tier Branding
Some partners need different branding per customer segment. White-Label supports sub-brands: your enterprise tier shows "SecureCorp Enterprise" while your mid-market offering shows "SecureCorp Essentials" — both backed by the same infrastructure.
brands: default: name: "SecureCorp" tier: "standard" logo: "https://cdn.securecorp.com/logo-standard.svg" enterprise: name: "SecureCorp Enterprise" tier: "premium" logo: "https://cdn.securecorp.com/logo-enterprise.svg" primary_color: "#001F3F" # Darker palette for enterprise government: name: "SecureCorp Federal" tier: "fedramp" logo: "https://cdn.securecorp.com/logo-federal.svg" compliance: ["FedRAMP High", "FISMA", "CMMC Level 3"]
Deployment Models
Infrastructure ownership spectrum from fully managed SaaS to complete air-gapped on-premise.
SaaS White-Label (Managed)
PRIVATE.ME operates all servers, databases, key management, and backups. Partner gets API access, SDK packages, and rebranded documentation. Fastest path to revenue — 2-4 weeks from contract signature to first customer deployment.
Ideal for: Financial services resellers, healthcare SaaS vendors, cloud platform add-ons. Low upfront investment, predictable operational costs, automatic security updates.
Hybrid Private Cloud
Partner deploys PRIVATE.ME containers to their own AWS/Azure/GCP account. PRIVATE.ME provides a lightweight control plane for license validation, compliance monitoring, and security patch distribution. Partner controls data residency, network topology, and compliance boundaries.
Ideal for: Regional cloud providers, system integrators with existing infrastructure contracts, enterprises requiring data sovereignty.
Full On-Premise (Disconnected)
Complete codebase transfer, including build pipelines, Kubernetes manifests, and operational runbooks. PRIVATE.ME provides initial deployment support and ongoing perpetual license for the software, but infrastructure and operations belong entirely to the partner.
Ideal for: Defense contractors, intelligence agencies, air-gapped networks (JWICS/SIPRNet), sovereign cloud operators in regulated jurisdictions.
| Property | SaaS | Hybrid | On-Premise |
|---|---|---|---|
| Time to Deploy | 2-4 weeks | 6-8 weeks | 12-16 weeks |
| Upfront Cost | $50K-$100K | $250K-$500K | $1M-$5M |
| Ongoing Cost | Revenue share (15-30%) | Annual maintenance (20%) | Support contract |
| Infrastructure Ownership | PRIVATE.ME | Partner | Partner |
| Security Updates | Automatic | Control plane push | Manual |
| Compliance Cascade | 24-hour inherit | 72-hour inherit | Separate audit |
Revenue Models
Flexible pricing structures align with partner go-to-market strategy and customer acquisition costs.
Revenue Share (SaaS Model)
Partner sets end-customer pricing and captures primary revenue. PRIVATE.ME charges 15-30% of monthly recurring revenue (MRR) based on volume tiers. No upfront license fee, no minimum commitment. Risk-sharing model ideal for new partnerships.
Per-Seat Licensing (Hybrid)
PRIVATE.ME charges partner a fixed per-seat fee (e.g., $5/user/month). Partner marks up to end customers at their discretion. Predictable cost structure, higher margin potential for partners with efficient sales motion.
Perpetual License (On-Premise)
One-time license fee based on deployment scale (users, nodes, throughput). Annual maintenance optional (typically 20% of license fee). Custom pricing for government and defense contracts. Multi-year payment plans available.
Integration Patterns
Four integration approaches for different partner tech stacks and deployment timelines.
SDK Rebrand (Fastest)
Import rebranded npm packages into your existing application. Zero changes to PRIVATE.ME code — all imports point to your npm scope. Deploy to customers as part of your product bundle.
// Before white-label: import { Agent } from '@private.me/xlink'; // After white-label: import { Agent } from '@securecorp/secure-agent';
API Gateway Rebrand
Deploy a thin API gateway in front of PRIVATE.ME infrastructure. Gateway handles branding, rate limiting, billing integration, and customer-specific routing rules. Middleware injects your company's branding into all responses.
Full Platform Fork
Fork the entire PRIVATE.ME codebase into your private GitHub organization. Rebrand at build time via configuration. Deploy to your infrastructure. Full control over release cadence and customization depth.
OEM Appliance
For on-premise deployments, PRIVATE.ME delivers a pre-configured Kubernetes Helm chart or Docker Compose stack with all services rebranded. Partner installs into their data center or customer's private cloud. Zero internet connectivity required post-deployment.
Security Properties
White-Label inherits all PRIVATE.ME security guarantees. Rebranding does not weaken cryptographic assurances.
| Property | Mechanism | Guarantee |
|---|---|---|
| Information-Theoretic | XorIDA threshold sharing (GF(2)) | K-1 shares reveal zero bits, unbreakable by quantum computers |
| Post-Quantum KEM | X25519 + ML-KEM-768 hybrid | Forward secrecy survives quantum cryptanalysis |
| Authentication | Ed25519 + ML-DSA-65 dual signatures | Non-repudiation, quantum-safe with opt-in |
| Zero npm Dependencies | No runtime third-party code | Supply chain attack surface eliminated |
| Compliance Cascade | Automated cert regeneration | FedRAMP/SOC2/ISO inherit to partner within 24-72 hours |
Compliance Inheritance Model
When PRIVATE.ME achieves a new compliance certification (e.g., FedRAMP High), partners on SaaS and Hybrid deployments inherit it automatically. White-Label infrastructure regenerates compliance PDFs listing the partner as the assessed entity. On-premise deployments require separate audits but can reference PRIVATE.ME's certification as evidence.
Performance Benchmarks
Rebranding adds zero runtime overhead. White-labeled deployments match PRIVATE.ME production performance.
| Operation | PRIVATE.ME | White-Label | Overhead |
|---|---|---|---|
| XorIDA Split (2-of-2, 1MB) | 33ms | 33ms | 0% |
| Hybrid KEM (X25519 + ML-KEM-768) | 2.7ms | 2.7ms | 0% |
| Agent.send() (split-channel) | ~5ms | ~5ms | 0% |
| Agent.receive() (verify + decrypt) | ~4ms | ~4ms | 0% |
| SDK Bundle Size | 240KB | 240KB | 0% |
Deployment Time Benchmarks
Honest Limitations
White-Label solves infrastructure rebranding, but certain constraints remain. Transparency prevents misaligned expectations.
Patent Ownership
XorIDA threshold sharing and other PRIVATE.ME innovations remain PRIVATE.ME intellectual property. Partners license the technology but do not acquire patent rights. If your company requires patent ownership (not just licensing), White-Label is not the solution — consider building in-house or acquiring PRIVATE.ME.
Core Algorithm Changes
Partners cannot modify XorIDA's core threshold sharing logic, cryptographic primitives, or security guarantees. You can rebrand, reconfigure, and extend — but the underlying cryptography is immutable. This protects both parties: you inherit our security audits and compliance certifications only if the code remains unchanged.
Compliance Inheritance Limits (On-Premise)
Full on-premise deployments do NOT inherit compliance certifications automatically. FedRAMP High, SOC 2, ISO 27001 audits are entity-specific. You can reference PRIVATE.ME certifications as supporting evidence, but your company requires separate audits listing your infrastructure and processes.
SaaS and Hybrid deployments DO inherit compliance because the underlying infrastructure remains under PRIVATE.ME's SOC 2/ISO scope. On-premise transfers operational control, which breaks the inheritance chain.
Vendor Lock-In
White-Label creates a dependency on PRIVATE.ME for security updates, compliance certifications, and algorithmic improvements. If PRIVATE.ME ceases operations, SaaS partners lose access immediately. Hybrid and on-premise partners can continue operating existing deployments but forfeit future updates.
Mitigation: On-premise contracts include source code escrow provisions. If PRIVATE.ME fails to meet service-level commitments or shuts down, escrowed source code transfers to the partner.
Customization Depth
White-Label is NOT custom development. You get 140 ACIs as-is, with configuration options and branding control. If your use case requires modifying core cryptographic flows, adding proprietary algorithms, or fundamentally altering the architecture, you need a custom development contract (significantly higher cost).
Customization Depth
What you can change vs. what remains locked to preserve security guarantees and compliance inheritance.
Allowed Customizations
| Layer | Customizable | Immutable |
|---|---|---|
| Branding | Logo, colors, fonts, company name, legal entity | None |
| API Surface | Endpoint paths, HTTP headers, error message text | Payload schemas (breaking changes prohibited) |
| SDK Package Names | npm scope, package names, import paths | Exported function signatures |
| Documentation | Writing style, examples, deployment guides | Cryptographic accuracy (audited claims) |
| Configuration | Timeout values, retry logic, default scopes | Cryptographic parameters (key sizes, threshold values) |
| Deployment Topology | Cloud provider, region, instance types | Container architecture (for compliance audit scope) |
Why Immutability Matters
PRIVATE.ME compliance certifications cover specific code artifacts. If you modify XorIDA threshold logic, NIST post-quantum parameter choices, or cryptographic key sizes, those changes fall outside our audited scope. Your deployment would require separate security audits, negating the compliance inheritance benefit.
Migration Tools
Tooling to migrate existing customer data, API integrations, and credentials from legacy systems to white-labeled PRIVATE.ME infrastructure.
Data Migration SDK
PRIVATE.ME provides a migration toolkit for common source systems: existing API key-based authentication, OAuth 2.0 client credentials, mTLS certificate infrastructure, and legacy encrypted storage systems.
import { MigrationTool } from '@securecorp/migration'; const migrator = new MigrationTool({ source: { type: 'api-keys', file: './legacy-keys.json' }, target: { registry: 'https://registry.securecorp.com' }, }); // Map each API key to a new DID-based agent const results = await migrator.migrateToAgents({ onProgress: (done, total) => console.log(`Migrated ${done}/${total}`), }); // Output: mapping from old API key ID to new DID // Used to update customer databases and transition cutover
Dual-Run Period
Migration toolkit supports a "dual-run" mode where both legacy authentication (API keys) and new DID-based authentication work simultaneously. Partners can migrate customers incrementally without forced cutover dates.
Compliance Inheritance
How compliance certifications cascade from PRIVATE.ME to white-labeled partner deployments, and what triggers re-audit requirements.
Automatic Cascade (SaaS/Hybrid)
When PRIVATE.ME achieves a new certification (SOC 2 Type II, ISO 27001, FedRAMP High), the compliance report-generation pipeline automatically produces a partner-branded version within 24-72 hours. Partner company name, logo, and legal entity replace all PRIVATE.ME references. Auditors reviewed the same infrastructure and code — only the branding differs.
Separate Audit Required (On-Premise)
Full on-premise deployments transfer operational control to the partner. Compliance scope shifts from PRIVATE.ME infrastructure to partner infrastructure. Partner requires separate SOC 2/ISO audits covering their data centers, personnel, and processes. PRIVATE.ME certifications serve as supporting evidence but do not transfer.
Shared Responsibility Model
| Component | SaaS | Hybrid | On-Premise |
|---|---|---|---|
| Infrastructure Security | PRIVATE.ME | Partner | Partner |
| Code Cryptography | PRIVATE.ME | PRIVATE.ME | PRIVATE.ME (frozen at deploy) |
| Data Handling | PRIVATE.ME | Partner | Partner |
| Incident Response | PRIVATE.ME | Partner (PRIVATE.ME support) | Partner |
| Compliance Certification | Cascades | Cascades | Separate audit |
Deployment Options
SaaS Recommended
Fully managed infrastructure. Call our REST API, we handle scaling, updates, and operations.
- Zero infrastructure setup
- Automatic updates
- 99.9% uptime SLA
- Enterprise SLA available
SDK Integration
Embed directly in your application. Runs in your codebase with full programmatic control.
npm install @private.me/white-label- TypeScript/JavaScript SDK
- Full source access
- Enterprise support available
On-Premise Upon Request
Enterprise CLI for compliance, air-gap, or data residency requirements.
- Complete data sovereignty
- Air-gap capable deployment
- Custom SLA + dedicated support
- Professional services included
Enterprise On-Premise Deployment
While White Label is primarily delivered as SaaS or SDK, we build dedicated on-premise infrastructure for customers with:
- Regulatory mandates — HIPAA, SOX, FedRAMP, CMMC requiring self-hosted processing
- Air-gapped environments — SCIF, classified networks, offline operations
- Data residency requirements — EU GDPR, China data laws, government mandates
- Custom integration needs — Embed in proprietary platforms, specialized workflows
Includes: Enterprise CLI, Docker/Kubernetes orchestration, RBAC, audit logging, and dedicated support.