Security isn’t a feature. It’s our identity.

We take the responsibility of helping you manage identities seriously. That’s why every decision we make begins with the safety and privacy of your data in mind.

Application security

We practice defense in depth and take comprehensive steps to securely develop and test against threats across a range of vectors.

Third party audits

In addition to our extensive internal scanning and testing program, we employ third-party security experts to perform penetration tests.

Data encryption

All web traffic through Persona is encrypted via Hypertext Transfer Protocol Secure (HTTPS) and Transport Layer Security 1.2 (TLS).

Data in the database is encrypted using AES-256 encryption. Decryption keys are stored on separate hosts and rotated on a regular basis.

Secure development

We implement coding best practices focused on the OWASP Top Ten. Development, testing, and production environments are separated.

All code changes are peer reviewed and tested prior to deployment into production.

Policies & training

A comprehensive set of security policies and trainings are made available and shared with all personnel with access to Persona systems.

Logical access

Access to production systems utilizes least privilege based on role, is audited and monitored, and requires both 2FA via SSH and whitelisted IP via VPN.

Continuous, dynamic scanning

We maintain a comprehensive vulnerability management program which includes regular scanning, identification, and remediation of security vulnerabilities on infrastructure, endpoints, networks, and applications.

Availability & continuity

We maintain a publicly available system-status page which includes performance and incident history.

Our backup and replication program ensures data availability across primary and secondary systems. The Disaster Recovery program ensures that services remain available or are recoverable in case of disaster.

Certifications and compliance

Our security and privacy frameworks are based on and aligned with global standards that ensure the highest grade of security is met and exceeded.

Data privacy

Adhering to regulations is only one component of our commitment to privacy. Our higher order mission is to serve individuals with respect and protect the right to their unique identity.

Data transfer practices

We’re certified under the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks for data transfer and storage.

Privacy policy

Our Privacy Policy honors the GDPR, EU-U.S. and Swiss-U.S. Privacy Shield Frameworks.

Privacy by design

Your data is yours to own. We never sell user data and provide you secure methods to delete it in accordance with privacy regulations.

Privacy impact assessments

We continuously evaluate the impact of our activities on data privacy to ensure that we collect the minimum data needed and improve our practices.