Security and Privacy

Encryption at Rest

All data that Wristband stores is encrypted at rest using AES-256.

Encryption in Transit

All Wristband network traffic is encrypted, end-to-end, using Transport Layer Security (TLS)

Handling of Secrets

All passwords and client secrets that Wristband manages are hashed with Argon2. Any secrets from external identity providers, such as private keys, tokens, and client secrets, are encrypted at the application layer.

Handling of Signing Keys

For signing JWTs, such as access tokens, each Wristband application has a unique set of keys that are distinct from all other applications. Wristband customers can rotate these signing keys at their own discretion. The private signing keys are encrypted at the application layer.

API Security

Even within our own network, we validate access tokens for every API call (both internal and external). All internal service calls are made over HTTPS (end to end). Fine-grained permission checks are enforced for all incoming API calls.

Industry Standards

Our authentication APIs align with the OpenID Connect (OIDC) standard and adhere to the best practices established in the OAuth 2.1 specification.

SOC2 Compliance

We are currently working our way towards SOC2 Type 2 compliance, and compliance is on track for Q2 2025. Once our certification is complete, we will update this section and share the report with everyone.

Privacy

We strongly believe the data you put into our system is yours! All personal data stays within our system and does not get sold to third parties. We honor all requests for data retrieval and deletion. Please reach out to support for any data inquiries.