As an identity verification platform that handles sensitive data, we take data security and privacy very seriously and have designed our platform with security and privacy in mind.
Persona implements bank-grade security and is certified for SOC 2 Type II, a leading global security framework. Our comprehensive security program includes but is not limited to: third party audits, data encryption, logical access controls, vulnerability scanning, and network protections. Please see our FAQs and Security Page for more details about our commitment to security.
If you need a copy of any security, privacy, and compliance documentation, please reach out to firstname.lastname@example.org with your request.
Persona is GDPR and CCPA compliant, which means we've implemented a robust privacy program that includes secure data transfer and processing practices. We also achieved SOC 2 Type II at the end of 2019. We have an intake process for data subject rights requests, continuous privacy impact assessments, secure data transfer and storage, and privacy and cookie policies reviewed by external legal counsel. We also maintain records of processing as both a controller and processor.
The California Consumer Privacy Act is a new privacy law that came into effect in January 2020 and has been nicknamed California's GDPR. Persona has ensured that our platform is both GDPR and CCPA compliant.
Persona encrypts sensitive data at rest using AES-256 encryption and industry standard tokenization and hashing. Each data element is encrypted using an AES-256 cipher with a unique initialization vector and an encryption key that is rotated on a regular basis. All data in transit through the Persona web application uses Hypertext Transfer Protocol Secure (HTTPS) forced using TLS 1.2 or higher to ensure confidentiality of web sessions.
Our database and technical infrastructure are hosted within SOC 2 and ISO accredited data centers. Physical security controls at our data centers include 24/7 monitoring, cameras, visitor logs, and entry requirements.
Access to production systems and sensitive data is restricted on an explicit need-to-know basis, utilizes the principle of least privilege, and is monitored and audited on a scheduled cadence. Employees accessing production systems are required to use multiple factors of authentication, VPN enforced via IP whitelisting through firewall, and valid SSH keys that are access-controlled by IAM.
We maintain a documented vulnerability management program which includes third-party independent penetration testing, periodic scans, identification, and remediation of security vulnerabilities on servers, workstations, network equipment, and applications. All networks, including test and production environments are regularly scanned. Access to production systems is audit logged. Critical patches are applied to servers on a priority basis and as appropriate for all other patches.
Persona's information security management system (ISMS) outlines rigorous policies and procedures for creating, handling, storing, retaining, and securing data. We process all subject access and deletion data requests in 72 hours and have an incident response plan that has been reviewed and tested to be prepare appropriate remediation and notification for any security incidents like data breaches.
All information from Persona's verifications (e.g. the verification results, verification checks, documents, reports, etc) can be retrieved via API. Please see our API Reference for more information. You will also have access to the Persona Dashboard where you can view information from your end users' verifications and export this information from the Dashboard itself.
Can Persona send us the personally identifiable information (PII) provided by individuals (e.g. Name, DOB, address)?
Yes, in the API / Configuration section of the Dashboard under "Enabled API attributes" you can specify the PII you'd like to retrieve via the API. By default, we do not expose the attributes directly provided by individuals (e.g. name, birthdate, address) via API for data privacy reasons.
Persona is GDPR-compliant, and as a processor under the GDPR, our retention for end user data is determined by you, the controller. As such, we provide an API and a dashboard for you to control and delete data. We can also support automatic deletion of data after a specified time period.
If individuals need to change or correct their personal data, or wish to have it deleted, they must reach out you (as the controller) directly. As a processor of the data, any requests received by Persona will be forwarded to you for resolution. These requests should be addressed in a timely manner as required by applicable law.
As a processor under GDPR, Persona retains the data indefinitely for audit and compliance purposes unless and until you, as the controller, tell us to delete the data - which you can do via API or via dashboard. We can also set an automated retention period for you, after which we permanently delete all PII.
Persona supports data deletion and data export in accordance with data privacy regulations like GDPR. An individual's personally identifiable information (PII) can be redacted (i.e. permanently deleted from Persona's database) in one of three ways:
- Using the Persona API, you can redact an individual's PII via the delete endpoint.
- Using the Persona Dashboard, in the inquiry details page, you can use the "Redact" button on the top right hand side to delete an individual's PII.
- We can also set a data retention period after which we automatically redact all PII from our database after a specified time period.
Please contact email@example.com to set your data retention period. After the individual's PII is redacted it is permanently deleted and cannot be returned. However, the record of the inquiry itself (without any PII) will remain.
What does it mean to redact data? Is the deletion permanent? How do I set up an automated data retention period?
Please contact your customer success manager or firstname.lastname@example.org to set your data retention period. After the individual's PII is redacted, it is permanently deleted and cannot be restored. However, the record of the inquiry itself (without any PII) will remain.
Data subject access requests (DSARs) give individuals the right to ask what data an organization is holding about them, why the organization is holding that data, and who else their information is being disclosed to. DSAR is a term introduced by GDPR and is often used interchangeably with subject access requests (SARs). If an individual submits a data subject access request, you can use Persona to collect all the information related to the individual in our systems via Persona's API endpoints. Please contact email@example.com to help you securely process the DSAR.
Yes, SSO is available on Growth and Enterprise plans. See our Pricing page for details.
You can set up SSO for your organization on the Organization page in the Dashboard.
Yes, we support SAML-based single sign-on through Okta. Please see Persona Dashboard: SAML-based single sign-on (SSO) with Okta for instructions.