Onboard™ SEMS

JavaCard secure elements, fully managed.

The SEMS module of OnBoard Secure Infrastructure (OBSI) is one platform for the entire life of a secure element — from initial configuration, to factory injection, to field updates years later.

Book a Demo
SE Lifecycle

Every object on the chip — security domains, applets, credentials.

Built to the GlobalPlatform specification, SEMS handles every object's complete lifecycle — from production provisioning through field updates to retirement.

Security domains

Creation, configuration, and permission assignment of security domains — the isolation boundaries that separate each party's keys, applets, and data on a single SE chip.

Applets

Loading, installation, personalization, upgrade, and reset of applets running within each security domain. Complete control over the application layer of the SE, from initial deployment through field updates.

Credential

Issuance, rotation, and revocation of application credentials within each security domain. Every credential change is tracked and auditable.

All SE operations are protected by Global Platform secure channel protocols — SCP02, SCP03, and SCP11C —ensuring data integrity and confidentiality between SEMS and the device.

Compatible with NXP, ST Microelectronics, and Infineon JavaCard SEs.
Multi-Party

OEMs enable multi-party access — within isolated security domains.

In some products, the device OEM needs to open SE access to third-party service providers — payment networks, transit operators, automotive partners — so each can manage their own credentials directly. SEMS Workspace supports OEM-led, multi-party SE configuration with hardware-isolated security domains. Each party operates within their authorized boundary; nothing crosses domain lines.

A smartphone SE carries payment, access control, and car key services — three providers, three independent security domains, keys invisible across boundaries.
An EV charging station SE serves the OEM, charge point operator, V2G certification authority, and e-mobility service provider — four parties, each managing its own security domain independently.

SE Profile: the blueprint for multi-party collaboration.

01 —
Reference, not hold. Each party references keys and certificates from their own KMS and PKI Workspace. SEMS stores no key material.
02 —
Version-locked. Once all parties agree, the profile is locked as an immutable configuration snapshot.
03 —
Reusable. A locked profile can be referenced by multiple products.
Complete Loop

From profile to production to field.

01

Profile configuration

Define the SE Profile in SEMS Workspace —security domains, applets, key and certificate references. In multi-party scenarios, each party configures within their authorized boundary. Version-lock when complete.
01

Production provisioning

The locked SE Profile is referenced by Product Workspace and delivered to EdgeHSM at the factory. EdgeHSM injects the complete configuration into every device's SE chip on the production line.
01

Post-deployment management

After devices ship, each party independently manages applets and credentials within their own security domain — upgrades, rotations, revocations. Hardware isolation ensures no interference between parties.
All three stages, one platform.
Get Started

See how your keys stay sovereign across your supply chain.

A 30-minute demo covers key sources, cross-organization collaboration, and device key injection.

Book a Demo
Contact Us
Digital trust infrastructure for connected devices and credentials. Built on 13 years in digital credentials and cryptographic infrastructure.
IoT Security
OverviewSecure Build & ReleaseFactory ProvisioningSBOM & VulnerabilitySecure Update & OTACompliance & DisclosureGoogle CastMatter
Mobile Credentials
OverviewTransitAccessDigital Car Key
Resources
OverviewBlogWhitepapersCase Study
Company
About UsPartners
Privacy PolicyTerms Of ServiceCookie Policy
© 2026 Snowball Technology. All rights reserved.
EN
|
ZH