How Privy ensures the security and privacy of your data
This article describes Privy's current security practices and policies. If you believe you've found a vulnerability in one of Privy's services, please see our Security page for responsible disclosure information.
Software updating and patching
- Privy regularly tests and deploys patches for vulnerabilities in third party software packages, and has an automated alerting system for when new security patches are available. In addition, many software systems are automatically patched and updated on a rolling basis.
Authorization and access control
- Multi-factor authentication is mandatory for anyone with direct access to Privy's underlying technical infrastructure and customer backups.
- Customer PII is only accessed on a need-to-know basis, and actions taken in Privy's internal support dashboard are audited.
- Customer PII is never mixed between accounts - each account's PII and customer data is segregated so that accounts can never access the customer data of another account.
- Payment information is stored in a separate organization that is certified PCI Service Provider Level 1, the most stringent certification available.
Data security in transit
- All data, including PII data, is encrypted in transit, including when transmitted from one internal service to another.
- All Privy services are accessible via TLS, and all Privy services enforce HTTP Strict-Transport-Security and a minimum of TLS 1.1.
Data security at rest
- Customer PII data is encrypted at rest, when stored on public mediums (such as browser cookies). Privy uses either symmetric key encryption, or public-private key encryption with a key size of at least 1024 bits.
- Customer data is stored in the continental United States, with physical security managed by Amazon Web Services.