Security isn’t a feature.
It’s our identity.

Application security

• Third party audits

  In addition to our extensive internal scanning and testing program, we employ third-party security experts to perform penetration tests.

• Secure development

  We implement coding best practices focused on the OWASP Top Ten. Development, testing, and production environments are separated.

  All code changes are peer reviewed and tested prior to deployment into production.

• Continuous, dynamic scanning

  We maintain a comprehensive vulnerability management program which includes regular scanning, identification, and remediation of security vulnerabilities on infrastructure, endpoints, networks, and applications.

• Data encryption

  All web traffic through Persona is encrypted via Hypertext Transfer Protocol Secure (HTTPS) and Transport Layer Security 1.2 (TLS).

  Data in the database is encrypted using AES-256 encryption. Decryption keys are stored on separate hosts and rotated on a regular basis.

• Policies & training

  A comprehensive set of security policies and trainings are made available and shared with all personnel with access to Persona systems.

• Availability

  We maintain a publicly available system-status page which includes performance and incident history.

  Our backup and replication program ensures data availability across primary and secondary systems. The Disaster Recovery program ensures that services remain available or are recoverable in case of disaster.

• Logical Access

  Access to production systems utilizes least privilege based on role, is audited and monitored, and requires both 2FA via SSH and whitelisted IP via VPN.