Account security
Confirm uses Auth0 for authentication. Auth0 is an identity management platform that allows users to quickly authenticate using their Google, LinkedIn, Facebook, or other accounts. Auth0 is certified for ISO27001, ISO27018, SOC 2 Type II, HIPAA BAA, EU-US Privacy Shield Framework, Gold CSA STAR, and PCI DSS Certification standards. You can read more about Auth0's security in their security overview.
Because Confirm uses Auth0 for authentication, we do not receive or store your password when you create an account on our platform.
Operational security
All Confirm employees pass a rigorous background check as a condition of employment. All Confirm staff accounts are protected by two-factor authentication. All staff computers have full disk encryption enabled. All staff email accounts are protected with two-factor authentication.
Technical and data security
Confirm maintains bank-level digital security using 256-bit SSL encryption. This includes OCSP stapling and HTTP strict transport security.
We utilize Amazon Web Services (AWS) to host our servers and data. AWS has a suite of compliance certificates for their data centers, include full SSAE 16 (SOC 1, SOC 2, and SOC 3) compliance. Our server instances are hosted in a virtual private cloud, using only data centers located in the United States. All direct access to our production systems is protected by public key encryption and two-factor authentication.
Our files, including those that you upload, are hosted on the AWS storage service. Files are encrypted with AES-256 and backed up within the United States. All databases are stored on encrypted-at-rest file systems using AES-256 encryption using private keys that are rotated at least annually. All database queries and traffic is only routed through SSL secured connections.
The Confirm website is only served over SSL to keep website traffic secure, and insecure protocols like SSL 2 and SSL 3 are not enabled. Confirm utilizes CloudFlare to protect against denial of service and other common attack vectors.
Financial security
Confirm uses Stripe for credit card transactions. When you make a purchase on the Confirm website, Stripe holds the actual credit card information; Confirm does not have access to credit card numbers. You can read more about Stripe's security and PCI compliance in their security overview.
Technical expertise
Confirm employs engineers who have worked in other security and availability-critical domains, including healthcare and financial technology. All technical and software changes go through a peer-review process and a suite of automated acceptance tests.
Support options
Confirm strives to be as accessible as possible regarding customer support. You can contact us anytime at [email protected].
Responsible disclosure
If you believe you have discovered a vulnerability within Confirm, or are a security researcher interested in this space, contact us at [email protected]. Include as many details as possible, including steps to repeat or proof.