Secure by default.
Userfront gives you automated security that far exceeds industry standards.
auditing
SOC 2 compliance with continuous monitoring and external pen testing.
reporting
Real-time security reports generated for each of your workspaces.
events
Keep a trail of all authentication and user actions to quickly diagnose problems.
SOC 2 compliance
Full SOC 2 attestation by Ernst & Young based on security, availability, and confidentiality.
Latest report: March 2022
Continuous monitoring
Realtime monitoring and alerting of SOC 2 controls for all production systems performed by Drata.
Regular testing
Daily automated security scans.
Monthly penetration testing and vulnerability scans performed by independent, 3rd-party security researchers.
Automated security reporting
Realtime coverage for all of your security settings.
Share your posture with clients, execs, and regulators.
Security Report
Prepared on 2024-04-24
This report covers aspects of user identity, authentication, and access control (the "System") provided by Userfront for Demo Tenant.
The following sections list and discuss the settings that the System uses to process and store data. These sections also provide detailed information about the System's security, availability, and privacy settings.
a section
Encryption at Rest
All user information is encrypted at rest.
All Personally Identifiable Information (PII) is encrypted at rest.
| Attribute | Status |
|---|---|
| Name | Encrypted at rest |
| Username | Encrypted at rest |
| Encrypted at rest | |
| Phone number | Encrypted at rest |
| All other user data | Encrypted at rest |
Encryption Method
The System uses the industry standard AES-256 algorithm to encrypt all underlying storage for database instances, automated backups, and read replicas.
| Attribute | Status |
|---|---|
| Encryption at rest algorithm | AES-256 |
User Data Protection
The System allows for removal of user information upon request.
The System uses a data classification policy to determine how different types of data are handled. All user data is classified at the highest level of restriction.
There is a data protection policy and a defined process for responsible disclosure.
| Attribute | Status |
|---|---|
| Removal of user data upon request | Active |
| Data classification policy | Active |
| Data protection policy | Active |
| Process for responsible disclosure | Active |
Backup & Replication
The System performs daily backups of all database information and stores these encrypted backups across multiple redundant regions.
The System further provides active redundancy, with live database replication across multiple regions.
| Attribute | Status |
|---|---|
| Backup cadence | Daily |
| Backup replication | Multi-region |
| Active replication | Multi-region |
| Encryption at rest | Active |
| Encryption at rest algorithm | AES-256 |
Database Monitoring
The System is configured to automatically and continuously monitor database CPU utilization, database read I/O, and database free storage space. Each monitoring category includes real-time alerting and visualization along with historical data and metrics.
The System utilizes a data retention policy to determine when data should be retained and how it should be disposed of, when appropriate.
| Attribute | Status |
|---|---|
| Database CPU monitoring | Active |
| Database read I/O monitoring | Active |
| Database free storage space monitoring | Active |
| Data retention policy | Active |
Password Rules
The System enforces password requirements that meet or exceed NIST Password Guidelines.
Passwords must be at least 16 characters long, or at least 8 characters long including a letter and a number.
Passwords cannot exceed 512 characters in length.
| Attribute | Status |
|---|---|
| Minimum password length if letter and number are included | 8 characters |
| Minimum password length without character requirements | 16 characters |
| Maximum password length | 512 characters |
Password Handling
The System does not store passwords in plain text. Passwords are stored as hashes and are encrypted at rest.
Passwords are not written to system logs.
The System uses the Bcrypt hashing function to generate password hashes, with a unique salt for each password.
The System limits the rate of password attempts at multiple levels, including per IP address, per user, and at the system-wide level.
| Attribute | Status |
|---|---|
| Password hashing function | Bcrypt |
| Password hashing cipher | Blowfish |
| Password salting | Unique per password |
| Key stretching | Included |
| Brute force attack resistance | Active |
| Preimage attack resistance | Active |
| Timing attack resistance | Active |
| Rainbow table attack resistance | Active |
| Log filtering | Active |
| Password hash encryption at rest | Active |
Password Resets
The System provides secure, single-use, time-expiring password reset credentials when requested by a user.
| Attribute | Status |
|---|---|
| Password resets | Active |
| Reset link expiration | 15 minutes |
| Reset link usage | Single use |
Token Signing
The System uses JWT access tokens signed with the RSA 256 algorithm, an asymmetric public key algorithm.
Token signing for the System exceeds the latest Commercial National Security Algorithm (CNSA) specifications for commercial cryptography, approved by the NSA to protect National Security Systems (NSS) up to the TOP SECRET level.
| Attribute | Status |
|---|---|
| Access token format | JSON Web Token (JWT) |
| Access token expiration | 7 days |
| Token signing algorithm | RSA 256 |
| Modulus size | 4096-bit |
| Token signing type | Asymmetric / public key cryptography |
Private Key Security
The System encrypts all private signing keys at rest, such that theft of the database would not expose private signing key information.
Private signing keys are further encrypted using column-level encryption. This means that an active database connection also does not expose private signing key information.
| Attribute | Status |
|---|---|
| Private signing keys encrypted at rest | Active |
| Private signing keys encrypted at column level | Active |
| Private signing keys not accessible over network connection | Active |
Token Refresh
The System uses refresh tokens in conjunction with access tokens. Refresh tokens allow for shorter-lived access tokens, which improves security.
| Attribute | Status |
|---|---|
| Refresh token expiration | 30 days |
JWT Access Token Storage
When logged into this application via a web browser, a user's JWT access token is stored as a cookie.
This cookie is only sent with encrypted requests (HTTPS) to this application's originating website.
| Attribute | Status |
|---|---|
| Secure | true |
| SameSite | Lax |
| HttpOnly | false |
| Expires / Max-Age | 7 days |
Refresh Token Storage
When logged into this application via a web browser, a user's refresh token is stored as a cookie.
This cookie is only sent with encrypted requests (HTTPS) to this application's originating website.
| Attribute | Status |
|---|---|
| Secure | true |
| SameSite | Strict |
| HttpOnly | false |
| Expires / Max-Age | 30 days |
SOC 2
This application uses Userfront for authentication and access control. Userfront is SOC 2 certified and was last audited by Ernst & Young on December 31, 2023.
SOC 2 controls are further continuously monitored by Drata, with daily reporting on the status of all controls.
| Attribute | Status |
|---|---|
| SOC 2 certification | Active |
| SOC 2 monitoring | Active |
| SOC 2 auditor | Ernst & Young |
| SOC 2 monitor | Drata |
| SOC 2 scope | Security, Availability, Confidentiality |
| SOC 2 audit date | December 31, 2023 |
5 More
See the full reportLogging & events
Know what's happening on your system at all times.
Analyze your logs and stay in control.
Security & transparency
Security can be hard to get right.
Userfront keeps your application secure and lets you get back to business.