Security Support

Access Control

Access to our cloud infrastructure is strictly managed via Google Identity and Access Management (IAM) . We have imposed a strong password policy with Two-Factor Authentication (2FA). Access is regularly reviewed to keep your data safe from unauthorized access.

Data Storage and Server Location

We are hosted on the Google Cloud Platform (Mumbai, India) across 3 zones to ensure high availability. This is done to ensure that if there is ever a problem in an individual data center, your service is not disrupted. 

Encryption

We have implemented strong encryption policies for all your data. 

• We have Data-In-Rest Encryption AES256. Click here to know more about AES256
• We have data in transit encryption TLS 1.2 and 1.3 with strong ciphers. Click here to know more about TLS
• We have field-level encryption in the Database.

Thread Modelling

We follow a secure software development lifecycle. Our thread modeling and development methodology contains the following:

• Perform regular vulnerability assessment and penetration testing on our Application and Infrastructure by CERT-In empanelled organizations. 
• Tests are performed as per the OWASP standards.
• Security-focused static analysis tools have been deployed as a part of our CI/CD pipeline.
• We have a Business Continuity Plan / Disaster Recovery (BCP/DR) plan in place and we perform BCP/DR drill on a yearly basis to ensure critical functions can continue during and after a disaster.

Authentication

We support long-lived bearer tokens for authentication of the callbacks. This is a backend configuration and will be done along with the callback endpoint configuration. 

Purging Policy

To ensure the safety of your data, IDfy recommends that you delete all customer data from our platform after a customer journey is complete.  We provide multiple automated and manual purging mechanisms:
Automated purging mechanisms

• API based purging – You may call our purge API when you are looking to purge data
• Auto purging – You may choose to enable auto purging of data after a configurable span of time (e.g. purge 90 days after data is collected)

Manual purging mechanism

• Manual purging – Here, you can inform IDfy by email to purge data as a one-time activity 

When data has been purged from our systems, it means that none of the end-user artifacts, transaction logs, or insights data will remain on our systems.

The default system setting is to automatically purge after 90 days of data being received in the IDfy system. Please note that IDfy will not be able to recover the data after this period and will not be liable for any loss of data on account of such policy implementation. If this purge period needs to be modified, please contact us.

Personal Identifiable Information and Data

A custom Data Protection Framework has been implemented by us to put an emphasis on the most sensitive and valuable data within our organization, including your Personal Identifiable Information (PII) and those of your customers.

Threat Protection

Google Cloud Armor has been deployed in our system, which provides defenses against DDoS and application attacks(WAF).