Security and Privacy

Encryption at Rest

All data that Wristband stores is encrypted at rest using AES-256.

Encryption in Transit

All Wristband network traffic is encrypted, end-to-end, using Transport Layer Security (TLS)

Handling of Secrets

All passwords and client secrets that Wristband manages are hashed with Argon2. Any secrets from external identity providers, such as private keys, tokens, and client secrets, are encrypted at the application layer.

Handling of Signing Keys

For signing JWTs, such as access tokens, each Wristband application has a unique set of keys that are distinct from all other applications. Wristband customers can rotate these signing keys at their own discretion. The private signing keys are encrypted at the application layer.

API Security

Even within our own network, we validate access tokens for every API call (both internal and external). All internal service calls are made over HTTPS (end to end). Fine-grained permission checks are enforced for all incoming API calls.

Industry Standards

Our authentication APIs align with the OpenID Connect (OIDC) standard and adhere to the best practices established in the OAuth 2.1 specification.

SOC2 Type 2 Compliance

Wristband achieved SOC2 Type II Compliance in 2025 with the help of our friends at Secureframe. Visit our trust center page where you can download a SOC3 report, which is a publicly available summary of our SOC 2 Type II audit. You can also make a request to our team for the full SOC2 report, which will require signing an NDA with Wristband.

Privacy

We strongly believe the data you put into our system is yours! All personal data stays within our system and does not get sold to third parties. We honor all requests for data retrieval and deletion. Please reach out to support for any data inquiries.