This article describes Privy's current security practices and policies. If you believe you've found a vulnerability in one of Privy's services, please see the Security page for responsible disclosure information.
- Privy regularly deploys new features and improvements multiple times per week. All application code changes must pass multiple forms of human and automated review before deployment.
- Extensive unit, integration, and static analysis tests are run against all changes before release.
- Production and development environments are always kept separate on physically distinct networks.
Software vulnerability patching
- Many of Privy's software systems are automatically patched and updated on a rolling basis.
- Privy regularly tests and deploys patches for vulnerabilities in third-party software packages and has an automated alerting system for when new security patches are available.
Authorization and access control
- Multi-factor authentication is mandatory for anyone with direct access to Privy's underlying technical infrastructure and customer backups.
- Customer PII is only accessed on a need-to-know basis, and actions taken in Privy's internal support dashboard are audited.
- Customer PII is never mixed - each account is segregated so that users can never access another account's customer data.
- Payment information is stored in a separate organization that is certified PCI Service Provider Level 1, the most stringent certification available.
Data security and encryption
- All data is encrypted at rest. Privy uses either a symmetric key encryption algorithm like AES-256-GCM or public-private key encryption with a key size of at least 1024 bits.
- All data is encrypted in transit. Privy data is accessible only via TLS, using a minimum of TLS 1.1. It is not possible to access services without HTTPS.
- Privy.com enforces HTTP Strict-Transport-Security (HSTS), and all subdomains are on the HSTS preload list.
- The Privy.com domain is signed with DNSSEC.
- All passwords are salted and hashed with one-way encryption.
- Application credentials are stored separately from the codebase.
- All customer data is stored in the continental United States.
- Privy's content delivery network may serve static assets worldwide but does not store customer data.
- Physical data center security is managed by Amazon Web Services, which has achieved the highest level of certifications, including ISO 27001 and SOC. For more information, see AWS Security and AWS Compliance.
Uptime, Reliability, and Recovery
- Privy constantly monitors its service for performance and availability. When issues are reported, they will appear on the Status Page.
- All application and customer data are stored on redundant infrastructure across multiple availability zones to eliminate single failure points.
- Customer data is backed up nightly and retained on a rolling basis to recover from in the event of a disaster.