![[object Object]](/lib_oGPegMrabyGMZISx/nbzg7nzv9wewqh0s.png?w=400)
Security Practices
Security and Privacy
For detailed information about our security and privacy practices, you can view our privacy policy. Below are some highlights.
Data centers and security measures
Data centers
ComplyBOI's servers are hosted at Fly.io (San Jose, USA region). Database (sfo2) and cloud storage (sfo3) are hosted at DigitalOcean.
Hosted Infrastructure Details
The Fly.io and DigitalOcean infrastructures have strong safeguards to protect customer privacy. All data is stored in highly secure data centers. For a detailed overview of all security and privacy measures, see the Fly.io Security page and DigitalOcean Security page.
Additional security measures
- Data center security: Our data centers demonstrate ongoing compliance with rigorous international standards, such as SOC2 Type 1.
- Access control: We restrict access to personal data only to our employees, contractors, and agents who need to know this information to operate, develop, or improve our service. Only a select few have access to the servers where data is stored. We go to great lengths to ensure the right balance between support and secure infrastructure. Employees can only access accounts if they have explicit permission from an account owner or the account is in review for compliance with the ComplyBOI terms of service.
- Confidentiality agreements: Employees, contractors, and agents are bound by confidentiality obligations and may be subject to discipline, including termination and criminal prosecution, if they fail to meet these obligations.
- App security: All access to the ComplyBOI interface is secured over SSL (HTTPS), ensuring the information is encrypted. Our SSL configurations are regularly and automatically scanned to ensure we can quickly remediate any vulnerabilities discovered, such as Heartbleed. Additionally, we provide both TLS and HTTPS connections to the ComplyBOI services, ensuring communications to the service are encrypted. Account passwords are encrypted in the ComplyBOI database, preventing even our own staff from viewing them. We offer a method to recycle API keys at any time in the ComplyBOI interface.
- Fully redundant servers for the services.
- Secure protocols (SSL / TLS) across the service endpoints.
- Separately hosted documentation and marketing site.
256-bit SSL encryption on the web app and payment processing. - All passwords are stored using one-way cryptographic hashing functions.
- Hardened and patched OS with frequent security updates.
- External monitoring and audits by highly respected security firms.
Data retention
Data is retained indefinitely. Clients can request that their information be deleted at any time.
Vulnerability Remediation
Vulnerabilities that directly affect ComplyBOI's systems and services will be patched or otherwise remediated within a timeframe appropriate for the severity of the vulnerability, subject to the public availability of a patch or other remediation instructions.
Severity: Timeframe
- Critical: 24 hours
- High: 1 week
- Medium: 1 month
- Low: 3 months
- Informational: As necessary
If there's a severity rating that accompanies a vulnerability disclosure, we'll generally rely on that as a starting point but may upgrade or downgrade the severity in our best judgment.