Skip to content

Security

Our Commitment to Security

Security Practices

At AuthDuty, we prioritize the security of our systems and the protection of our clients' data above all else. Our comprehensive security measures include:

  • All connections encrypted with TLS.
  • Multi-factor authentication available for all user accounts.
  • Bot protection on all authentication and public forms.
  • Rate limiting on authentication, verification, and API endpoints.
  • API keys hashed at rest; webhook payloads cryptographically signed.
  • Strict Content Security Policy headers on all pages.
  • Regular security audits and compliance checks.
  • Secure coding practices and regular vulnerability assessments.

Security Assurances

AuthDuty is committed to maintaining the highest standards of security and data protection:

  • Team data is isolated - each team can only access its own data.
  • Immutable audit trail for every verification case and team action.
  • Government ID and biometric data processed by Stripe Identity, never stored on AuthDuty servers.
  • Session management with automatic invalidation on account changes.
  • Adherence to GDPR and other privacy regulations for data protection.
  • Transparent policies and practices for client assurance.

Security Vulnerability Reporting

We take the security of our systems seriously, and we value the security community. The responsible disclosure of security vulnerabilities helps us ensure the security and privacy of all our users.

Guidelines

Please follow these guidelines when reporting a vulnerability:

  • Provide detailed reports with reproducible steps.
  • If the report includes a proof of concept, please make it non-destructive.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
  • Do not disclose the issue to others until it has been resolved.

Submission Process

To submit a vulnerability report to AuthDuty, please email us at:

[email protected]

We will acknowledge receipt of your report within 24 hours, and we will send a more detailed response within 48 hours indicating the next steps in handling your report. After the initial reply to your report, we will keep you informed of the progress towards a fix and full announcement.

We request that you keep your communication about the vulnerability confidential and refrain from posting or sharing any information about the vulnerability until it has been corrected.

Rewards

Though we currently do not offer a paid bug bounty program, we recognize and show appreciation for security reports that help us keep our services safe for everyone. Contributors of valid reports will be acknowledged if they choose.