Security and privacy are not a feature.
They’re our identity.

We take the responsibility of helping you manage your customer data seriously. That’s why we’ve taken a security and privacy first approach to everything we do.

Certifications and compliance

Our security and privacy frameworks are based on and aligned with global standards that ensure the highest grade of security is met and exceeded. Please reach out to your Persona account manager or [email protected] for a copy of our certifications.

Security and privacy at our core

Security and privacy are paramount to a trusted relationship. That’s why Persona is compliant and certified to the highest industry standards and committed to protecting you and your customers' privacy.

Security

With multilayered security mechanisms, our defense in depth strategy protects against a wide range of threats.

Availability

Our backup and replication program ensures data availability across primary and secondary systems. The Disaster Recovery program ensures that services remain available or are recoverable in case of disaster.

Secure development

We implement coding best practices focused on the OWASP Top Ten. Development, testing, and production environments are separated. All code changes are peer reviewed and tested prior to deployment into production.

Continuous vulnerability scanning

We maintain a comprehensive vulnerability management program which includes regular scanning, identification, and remediation of security vulnerabilities on infrastructure, endpoints, networks, and applications.

Data encryption

All web traffic through Persona is encrypted via HTTPS and TLS 1.2. Data in the database is encrypted using AES-256 encryption. Decryption keys are stored on separate hosts and rotated on a regular basis.

Policies & training

A comprehensive set of security policies and trainings are made available and shared with all personnel with access to Persona systems.

Third party audits

In addition to our extensive internal scanning and testing program, we employ third-party security experts to perform penetration tests.

Logical access

Access to production systems is restricted to necessary personnel, is audited and monitored, and is secured with multi-factor authentication.

Internal controls

All employees undergo background checks and are subject to ongoing background checks throughout their employment.

Availability

Our backup and replication program ensures data availability across primary and secondary systems. The Disaster Recovery program ensures that services remain available or are recoverable in case of disaster.

Secure development

We implement coding best practices focused on the OWASP Top Ten. Development, testing, and production environments are separated. All code changes are peer reviewed and tested prior to deployment into production.

Continuous vulnerability scanning

We maintain a comprehensive vulnerability management program which includes regular scanning, identification, and remediation of security vulnerabilities on infrastructure, endpoints, networks, and applications.

Data encryption

All web traffic through Persona is encrypted via HTTPS and TLS 1.2. Data in the database is encrypted using AES-256 encryption. Decryption keys are stored on separate hosts and rotated on a regular basis.

Policies & training

A comprehensive set of security policies and trainings are made available and shared with all personnel with access to Persona systems.

Third party audits

In addition to our extensive internal scanning and testing program, we employ third-party security experts to perform penetration tests.

Logical access

Access to production systems is restricted to necessary personnel, is audited and monitored, and is secured with multi-factor authentication.

Internal controls

All employees undergo background checks and are subject to ongoing background checks throughout their employment.

Privacy

Every decision we make begins with the safety and privacy of you and your customers' data in mind.

Data transfer practices

We perform transfers in a secure manner by encrypting data in transit. We are also able to support data residency in the US and the EU.

Privacy policy

Our Privacy Policy honors the CCPA/CPRA and GDPR frameworks. We are transparent about how we collect and use your data.

Privacy by design

Your data is yours to own. We never sell user data and provide you with secure methods to delete it in accordance with privacy regulations.

Privacy impact assessments

We continuously evaluate the impact of our activities on data privacy to ensure that we collect the minimum data needed and improve our practices.

Data transfer practices

We’re certified under the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks for data transfer and storage.

Privacy policy

Our Privacy Policy honors the CCPA, GDPR, EU-U.S. and Swiss-U.S Privacy Shield Frameworks.

Privacy by design

Your data is yours to own. We never sell user data and provide you secure methods to delete it in accordance with privacy regulations.

Privacy impact assessments

We continuously evaluate the impact of our activities on data privacy to ensure that we collect the minimum data needed and improve our practices.
As we deal with sensitive health records, we needed a certified identity solution that would help us verify patients quickly, accurately, and safely. Not only did Persona meet all of these expectations, but their NIST IAL certification will also play a key role in our ability to help patients get more out of their health records.
Deven McGraw
Lead for Data Stewardship and Data Sharing at Ciitizen

Ready to get started?

Get in touch or start exploring Persona today.