Security and Privacy

Wristband is designed to keep your data safe and secure.

Encryption at Rest

All data that Wristband stores is encrypted at rest using AES-256.

Encryption in Transit

All Wristband network traffic is encrypted, end-to-end, using Transport Layer Security (TLS)

Handling of Secrets

All passwords and client secrets managed by Wristband are hashed using Argon2. Any secrets from external identity providers, such as private keys, tokens, and client secrets, are encrypted at the application layer.

Handling of Signing Keys

For signing JWTs, such as access tokens, each Wristband application has a unique set of keys that are distinct from all other applications. Wristband customers can rotate these signing keys at their discretion. The private signing keys are encrypted at the application layer.

API Security

We validate access tokens for every API call (both internal and external). All internal service calls are made over HTTPS (end-to-end). Fine-grained permission checks are enforced for all incoming API calls.

Industry Standards

Our authentication APIs align with the OpenID Connect (OIDC) standard and adhere to the best practices established in the OAuth 2.1 specification.

SOC2 Type II Compliance

Wristband achieved SOC2 Type II Compliance in 2025. Visit our trust center page where you can download a SOC3 report, a publicly available summary of our SOC 2 Type II audit. You can also request a full SOC2 report from our team, which will require you to sign an NDA with Wristband.

Privacy

We strongly believe the data you put into our system is yours! All personal data remains within our system and is not sold to third parties. We honor all requests for data retrieval and deletion. Please reach out to support for any data inquiries.