The eSIM you install from Truely works because of a specification document called SGP.22. Published by the GSMA — the industry body that represents mobile network operators globally — SGP.22 defines exactly how an eSIM profile gets downloaded to your phone, how it's stored securely, and how carriers authenticate it.
You never need to read SGP.22. But understanding its basic implications answers several questions that travelers commonly have: Why does the QR code expire? Can a carrier override my eSIM remotely? Why can some phones store multiple eSIM profiles while others can only store one? The answers come from the standard.
What the GSMA Actually Is
The GSMA (Global System for Mobile Communications Association) is a trade organization with over 750 member companies, including all major mobile network operators worldwide and most device manufacturers. It functions as a technical standards body and a certification authority for mobile communications infrastructure.
The GSMA doesn't regulate carriers directly — it publishes technical specifications that carriers and device manufacturers voluntarily adopt. The reason widespread adoption happens is simple: if your device doesn't follow the GSMA's eSIM specification, your eSIM won't work with any carrier that does follow it. The standard creates interoperability. Deviating from it breaks compatibility.
For eSIM specifically, the relevant specifications are SGP.02 (M2M eSIM, for IoT devices), SGP.22 (consumer eSIM for smartphones and tablets), and SGP.32 (IoT eSIM released in 2023). Truely's products operate under SGP.22, which is the specification relevant to iPhone, Android, and similar consumer devices.
The Architecture: SM-DP+ and eUICC
SGP.22 defines a two-component architecture. The first component is the eUICC (embedded Universal Integrated Circuit Card) — the physical chip in your phone. The second is the SM-DP+ (Subscription Manager Data Preparation Plus) — the server-side system that generates and delivers eSIM profiles.
When you purchase a Truely eSIM and receive a QR code, that QR code contains an address and activation code for Truely's SM-DP+ server. When you scan the QR code and initiate the installation, your phone establishes a TLS-encrypted connection to Truely's SM-DP+ server. The server authenticates your phone's eUICC chip using a cryptographic certificate chain that traces back to the GSMA's root certificate authority. The eUICC authenticates the server's certificate in return. Only after mutual authentication does the profile download begin.
This two-way authentication process is why QR codes expire after 72 hours by default. The activation code in the QR code is a one-time credential — it becomes invalid after the profile is downloaded, preventing replay attacks. A QR code that expires before use can be regenerated by Truely's support team on request.
Profile Storage and the 30-Profile Limit
SGP.22 defines that a GSMA-compliant eUICC must be capable of storing at least 10 eSIM profiles. Most modern eUICC chips support 20–30 profiles. Apple's iPhone 13 and later support up to 8 active profiles simultaneously (depending on the device variant and iOS version), with additional profiles stored but inactive.
A stored but inactive profile occupies a slot on the eUICC chip. If you're a frequent traveler who has installed eSIM profiles from multiple providers over time, you may eventually fill up the chip's storage capacity. Deleting inactive profiles — done through your phone's eSIM settings — frees the storage for new profiles.
The deletion process is permanent and irreversible by design — SGP.22 defines deletion as a one-way operation to prevent profile reactivation after cancellation. If you delete a Truely profile and later want to reinstall it, you'll need to contact Truely's support to generate a new QR code. The plan credit associated with the original profile is preserved in Truely's system — you're not paying again, just reinstalling the profile.
Remote SIM Provisioning: Who Can Change Your eSIM
A common concern about eSIM is whether a carrier can remotely modify or disable your profile. The concern is understandable — if a profile can be installed remotely, can it be deleted remotely without your consent?
SGP.22 addresses this with a specific consent model. A carrier or profile issuer can send a "remote management operation" to an eUICC — including a delete command. However, the eUICC is required to notify the user of the operation and require confirmation before executing it. On iOS, this appears as a system notification: "Your eSIM profile from [Provider] has been updated." The notification cannot be suppressed by the carrier.
There is one exception: the "Profile Disabling" operation, which the carrier can trigger without user confirmation if the profile was issued under a contract that includes this capability. This is relevant for corporate-issued eSIMs where the employer has provisioning rights. Consumer travel eSIM profiles from Truely are not issued under these terms — Truely cannot remotely disable your plan without your request or until the plan expiration date.
Security: What the Standard Requires
SGP.22 mandates specific cryptographic requirements for eSIM profile delivery and storage. Profile delivery must use TLS 1.2 or higher with mutual certificate authentication between the eUICC and the SM-DP+ server. Profile storage on the eUICC must be encrypted at rest using the chip's internal key storage — profiles cannot be read by other applications on the device.
The GSMA issues SGP.22 compliance certifications to SM-DP+ operators (including Truely) through a formal audit process. The certificate chain from a certified SM-DP+ server traces back to the GSMA's Root CI (Certificate Issuer). This chain is what your phone validates when you install an eSIM profile — the eUICC checks that the SM-DP+ server's certificate was issued by a GSMA-certified authority before accepting the profile download.
In practice, this means an eSIM profile from any GSMA-certified provider (Truely included) carries the same security guarantees as a profile from your home carrier. The profile download is end-to-end encrypted. The stored profile cannot be read by other apps. The chain of trust is publicly auditable.
What the Standard Doesn't Guarantee
SGP.22 governs profile delivery and security. It does not govern the commercial terms of the underlying plan — pricing, data limits, carrier agreements, or coverage quality are outside its scope. Two eSIM providers can both be fully SGP.22 compliant while delivering very different quality of service. The standard ensures the technical plumbing works correctly. The quality of what flows through the pipes is a commercial and operational question.
For travelers evaluating eSIM providers, the presence of GSMA certification is necessary but not sufficient. It means the provider's SM-DP+ infrastructure is audited and secure. It doesn't mean their carrier agreements are good, their coverage is what they claim, or their APN configuration will work at your destination. Those are the factors that differentiate providers — and the ones worth investigating before purchase.