We build security into our systems, our processes, and our culture. You are trusting us with your data and we take the responsibility of securing it extremely seriously.
The Proof'd architecture is designed to be secure and reliable. We use an n-tier architecture with firewalls between each tier and additionally within certain tiers between services. Services are accessible only by other services that require access. Access keys are rotated regularly and stored separately from our code and data.
Our application is hosted and managed within Amazon Web Services (AWS) secure data centers. These data centers have been accredited under:
- ISO 27001
- SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 - Type II)
- PCI Level 1
- FISMA Moderate
- Sarbanes-Oxley (SOX)
We make extensive use of the capabilities and services provided by AWS to increase privacy and control network access throughout our system. Documents that provide more details about AWS security are available at AWS Whitepapers.
Proof'd data stores are accessible only by servers that require access. Access keys are stored separately from our source code repository and only available to the systems that require them. Additionally, production environments are sandboxed from testing environments.
We maintain secure encrypted backups of important data for one year. Backup data is fully expunged after one year.
Proof'd runs a zero-trust corporate network. There are no corporate resources or additional privileges from being on the Proof'd corporate network.
Vulnerability scans and pentesting
Proof'd uses security tools to continuously scan for vulnerabilities. Additionally, vulnerabilities in third-party libraries and tools are monitored and software is patched or updated promptly when new issues are reported.
The system regularly undergoes third-party security reviews and penetration testing to identify potential vulnerabilities and ensure that they are addressed. Please contact our Customer Success team at firstname.lastname@example.org if you require access to these results.
Our servers are protected by firewalls and not directly exposed to the Internet.
We aggregate logs to secure encrypted storage. Any sensitive information is stripped prior to logging. Log data is fully expunged after one year.
Security Training and Confidentiality
Proof'd has mandatory, continuous security training programs for all employees and contractors. Additionally, all employees and contractors have signed confidentiality agreements with Proof'd.
All Proof'd web traffic is served over HTTPS. We force HTTPS for all web resources, including our API, web app, and public website. We also use HSTS to ensure that browsers communicate with our services using HTTPS exclusively. Additionally, we use only strong cipher suites and only support TLS 1.2 and 1.3.
All databases and other data stores, are fully encrypted at rest. In addition, all archives and logs are fully encrypted at rest. We use industry standard encryption algorithms with a minimum strength of AES-256.
Authentication and Privacy
We never store passwords in a form that can be retrieved. Instead, we store an irreversible cryptographic hash using a function specifically designed for this purpose. Authentication sessions are invalidated when users change key information and sessions automatically expire after a period of inactivity.
We monitor and rate limit authentication attempts on all accounts. Our system automatically blocklists any IP addresses responsible for suspicious authentication activity.
We provide multiple user roles with different permissions levels within the application. Roles vary from account admins to users. In all systems, we practice the principle of least privilege.
Reliability and Compliance
All credit card payments paid to Proof'd go through our payment processing partner, Stripe. Details about their security posture and PCI compliance can be found at Stripe's Security page.
Proof'd is built with fault tolerance capability. Our services are fully redundant with replication and failover. Services are distributed across multiple AWS availability zones. These zones are hosted in physically separate data centers, protecting services against single data center failures.
Proof'd maintains an incident response plan that includes procedures to be followed in the event of an unauthorized disclosure of data or other security incident.
If you have any concerns or discover a security issue, please email us at email@example.com and we will investigate. We request that you do not publicly disclose any issue you discovered until after we have addressed it.