How Privy ensures the security and privacy of your data
This article describes Privy's current security practices and policies. If you believe you've found a vulnerability in one of Privy's services, please see our Security page for responsible disclosure information.
- Privy regularly deploys new features and improvements multiple times per week. All application code changes must pass multiple forms of human and automated review before deployment.
- Extensive unit, integration, and static analysis tests are run against all changes before release.
- Production and development environments are always kept separate on physically distinct networks.
Software vulnerability patching
- Many of Privy's software systems are automatically patched and updated on a rolling basis.
- Privy regularly tests and deploys patches for vulnerabilities in third party software packages, and has an automated alerting system for when new security patches are available.
Authorization and access control
- Multi-factor authentication is mandatory for anyone with direct access to Privy's underlying technical infrastructure and customer backups.
- Customer PII is only accessed on a need-to-know basis, and actions taken in Privy's internal support dashboard are audited.
- Customer PII is never mixed between accounts - each account's PII and customer data is segregated so that accounts can never access the customer data of another account.
- Payment information is stored in a separate organization that is certified PCI Service Provider Level 1, the most stringent certification available.
Data security and encryption
- All Privy services are accessible only via TLS, using a minimum of TLS 1.1. It is not possible to access services without HTTPS. This means all data is encrypted in transit, including when transmitted from one internal service to another.
- Privy.com enforces HTTP Strict-Transport-Security (HSTS) and all subdomains are on the HSTS preload list.
- The Privy.com domain is signed with DNSSEC.
- Customer PII data is encrypted at rest when stored on public mediums (such as browser cookies). Privy uses either symmetric key encryption, or public-private key encryption with a key size of at least 1024 bits.
- All passwords are salted and hashed with one-way encryption.
- Application credentials are stored separately from the code base.
- All customer data is stored in the continental United States.
- Privy's content delivery network may serve static assets from around the world, but does not store customer data.
Data center security
- Physical data center security is managed by Amazon Web Services, which has achieved the highest level of certifications including ISO 27001 and SOC. For more information, see AWS Security and AWS Compliance.
Uptime, Reliability, and Disaster Recovery
- Privy constantly monitors its service for performance and availability. When issues are reported, they will appear on the Status Page.
- All application and customer data is stored on redundant infrastructure across multiple availability zones to eliminate single points of failure.
- Customer data is backed up nightly, and retained on a rolling basis to recover from in the event of a disaster.