Our commitment to enterprise security
Security is critical to us.
Here is a sampling of just some of the measures that we take to ensure the security and integrity of our offering.
Our cloud-based infrastructure is hosted by Amazon Web Services, on an architecture built to meet the requirements of the most security-sensitive organizations. We also offer the option of an on-premises version.
Only the outer web tier servers of our multi-tiered architecture are publicly accessible, and only over HTTP/HTTPS. None of our application tier or data tier servers are exposed to the public Internet.
The credentials in our database are only stored in a salted and strongly hashed format where we have absolutely no way of recovering the original data. We store absolutely no financial or other personal information.
We never store submitted data; it is kept in memory on our servers only long enough to perform the database lookup, and then the memory is zeroed out at the end of the call.
All sensitive traffic flowing into and out of our servers is encrypted using 256 bit SSL. Firewalls are configured to only permit traffic on HTTP/HTTPS from the public Internet, rejecting other traffic.
APIs are implemented as a series of RESTful web services with JSON payloads. All APIs must be accessed via HTTPS and require authentication.
Our APIs never return passwords or credentials in any form, hashed or otherwise. We never return email addresses, except in cases where we are simply echoing back an email that was submitted in the initial request.
Our Credential API and Password API offer a partial hash approach for comparison. This ensures no clear text or credential hash data leaves your environment and that comparisons can be done locally so we don’t know if a match was found.
If you have concerns or questions, or would like more information about our security, including further details of our credential database or our API security, please contact us at any time.