Security

The security of your personal information and data is critical to everything that we do here at Privacy. Here are some relevant details about the safeguards we have built into our technology stack.

Overview

  • Our team includes people from some of the top payments and security companies (American Express, Expensify, Palantir), and we’re bringing that expertise to Privacy.
  • Privacy is PCI-DSS compliant. We are held to the same rigorous security standards as your bank.

Data At Rest / Infrastructure

  • Passwords are hashed using PBKDF2 with 100k iterations and salted to make rainbow table attacks more difficult.
  • Sensitive information is encrypted using split-key encryption with partial keys held by separate employees.
  • Customer data is stored on single-tenant hardware in private networks in at least three separate geographic locations and is inaccessible from the outside world.

Data In Transit

  • Data is never sent in plaintext. All web traffic is sent over Transport Layer Security (TLS) HSTS for privacy and security.
  • Inter-data center communication protected via by Internet Protocol Security (IPsec) with AES-256.

Policies

  • Aggressive biannual encryption key rotation schedule.
  • Servers are firewalled and regularly updated with the latest security patches.
  • We follow OWASP best practices and all code is peer-reviewed before deployment.
  • For access controls, we follow principles of least privilege.