Security

Rest easy know that your data is safe with ComplyBOI

shield, protection, safety, security, woman.svg

SSL Certificates

All communications over the wire (both internal and external) are securely done over SSL (HTTPS). We also use HSTS to force browsers into communicating over HTTPS.

Data Encryption

All data is encrypted at rest with AES-256. Account passwords are encrypted in the PagerTree database, preventing even our own staff from viewing them.

Database Backup

Our databases are backed up every hour. All backups are encrypted and stored at multiple data centers with limited access.

Redundant Infrastructure

PagerTree is run in a high availability (HA) configuration in multiple availability zones. Additionally, notifications can be sent through multiple providers (Twilio, Plivo, ...).

Secure Payment Processor

Our payments provider, Stripe, has been audited by a PCI-certified auditor and is certified to PCI Service Provider Level 1. This is the most stringent level of certification available in the payments industry.

Security Practices

Security and Privacy

For detailed information about our security and privacy practices, you can view our privacy policy. Below are some highlights.

Data centers and security measures

Data centers

ComplyBOI's servers are hosted at Fly.io (San Jose, USA region). Database (sfo2) and cloud storage (sfo3) are hosted at DigitalOcean.

Hosted Infrastructure Details

The Fly.io and DigitalOcean infrastructures have strong safeguards to protect customer privacy. All data is stored in highly secure data centers. For a detailed overview of all security and privacy measures, see the Fly.io Security page and DigitalOcean Security page.

Additional security measures

  • Data center security: Our data centers demonstrate ongoing compliance with rigorous international standards, such as SOC2 Type 1.
  • Access control: We restrict access to personal data only to our employees, contractors, and agents who need to know this information to operate, develop, or improve our service. Only a select few have access to the servers where data is stored. We go to great lengths to ensure the right balance between support and secure infrastructure. Employees can only access accounts if they have explicit permission from an account owner or the account is in review for compliance with the ComplyBOI terms of service.
  • Confidentiality agreements: Employees, contractors, and agents are bound by confidentiality obligations and may be subject to discipline, including termination and criminal prosecution, if they fail to meet these obligations.
  • App security: All access to the ComplyBOI interface is secured over SSL (HTTPS), ensuring the information is encrypted. Our SSL configurations are regularly and automatically scanned to ensure we can quickly remediate any vulnerabilities discovered, such as Heartbleed. Additionally, we provide both TLS and HTTPS connections to the ComplyBOI services, ensuring communications to the service are encrypted. Account passwords are encrypted in the ComplyBOI database, preventing even our own staff from viewing them. We offer a method to recycle API keys at any time in the ComplyBOI interface.
  • Fully redundant servers for the services.
  • Secure protocols (SSL / TLS) across the service endpoints.
  • Separately hosted documentation and marketing site.
    256-bit SSL encryption on the web app and payment processing.
  • All passwords are stored using one-way cryptographic hashing functions.
  • Hardened and patched OS with frequent security updates.
  • External monitoring and audits by highly respected security firms.

Data retention

Data is retained indefinitely. Clients can request that their information be deleted at any time.

Vulnerability Remediation

Vulnerabilities that directly affect ComplyBOI's systems and services will be patched or otherwise remediated within a timeframe appropriate for the severity of the vulnerability, subject to the public availability of a patch or other remediation instructions.

Severity: Timeframe

  • Critical: 24 hours
  • High: 1 week
  • Medium: 1 month
  • Low: 3 months
  • Informational: As necessary

If there's a severity rating that accompanies a vulnerability disclosure, we'll generally rely on that as a starting point but may upgrade or downgrade the severity in our best judgment.