Security and Privacy
Wristband is designed to keep your data safe and secure.
Encryption at Rest
All data that Wristband stores is encrypted at rest using AES-256.
Encryption in Transit
All Wristband network traffic is encrypted, end-to-end, using Transport Layer Security (TLS)
Handling of Secrets
All passwords and client secrets that Wristband manages are hashed with Argon2. Any secrets from external identity providers, such as private keys, tokens, and client secrets, are encrypted at the application layer.
Handling of Signing Keys
For signing JWTs, such as access tokens, each Wristband application has a unique set of keys that are distinct from all other applications. Wristband customers can rotate these signing keys at their own discretion. The private signing keys are encrypted at the application layer.
API Security
Even within our own network, we validate access tokens for every API call (both internal and external). All internal service calls are made over HTTPS (end to end). Fine-grained permission checks are enforced for all incoming API calls.
Industry Standards
Our authentication APIs align with the OpenID Connect (OIDC) standard and adhere to the best practices established in the OAuth 2.1 specification.
SOC2 Compliance
We are currently working our way towards SOC2 Type 2 compliance. Once our certification is complete, we will update this section and share the report with everyone.
Privacy
We strongly believe the data you put into our system is yours! All personal data stays within our system and does not get sold to third parties. We honor all requests for data retrieval and deletion. Please reach out to support for any data inquiries.
Updated 15 days ago