Secure by default.

Userfront gives you automated security that far exceeds industry standards.

Compliance & Auditing

SOC 2 compliance with continuous monitoring and external pen testing.
Real-time security reports generated for each of your workspaces.
Keep a trail of all authentication and user actions to quickly diagnose problems.

Stay Secure

Synchronize your users imageSynchronize your users image

SOC 2 compliance

Full SOC 2 attestation by Ernst & Young based on security, availability, and confidentiality.

Latest report: December 2023
Synchronize your users image

Continuous monitoring

Realtime monitoring and alerting of SOC 2 controls for all production systems performed by Drata.
Synchronize your users image

Regular testing

Daily automated security scans.

Monthly penetration testing and vulnerability scans performed by independent, 3rd-party security researchers.

Automated security
reporting

Realtime coverage for all of your security settings. Share your posture with clients, execs, and regulators.

Security Report

Prepared on 2024-03-14

This report covers aspects of user identity, authentication, and access control (the "System") provided by Userfront for Demo Tenant.The following sections list and discuss the settings that the System uses to process and store data. These sections also provide detailed information about the System's security, availability, and privacy settings.

Data Protection

Encryption at Rest

All user information is encrypted at rest.
All Personally Identifiable Information (PII) is encrypted at rest.

Attribute

Status 
Name
Encrypted at rest
Username
Encrypted at rest
Email
Encrypted at rest
Phone number
Encrypted at rest
All other user data
Encrypted at rest
Encryption Method

The System uses the industry standard AES-256 algorithm to encrypt all underlying storage for database instances, automated backups, and read replicas.

Attribute

Status 
Encryption at rest algorithm
AES-256
User Data Protection

The System allows for removal of user information upon request.

The System uses a data classification policy to determine how different types of data are handled. All user data is classified at the highest level of restriction.

There is a data protection policy and a defined process for responsible disclosure.

Attribute

Status 
Removal of user data upon request
Active
Data classification policy
Active
Data protection policy
Active
Process for responsible disclosure
Active

Data Storage

Backup & Replication


The System performs daily backups of all database information and stores these encrypted backups across multiple redundant regions.

The System further provides active redundancy, with live database replication across multiple regions.

Attribute

Status 
Backup cadence
Daily
Backup replication
Multi-region
Active replication
Multi-region
Encryption at rest
Active
Encryption at rest algorithm
AES-256
Database Monitoring

The System is configured to automatically and continuously monitor database CPU utilization, database read I/O, and database free storage space. Each monitoring category includes real-time alerting and visualization along with historical data and metrics.

The System utilizes a data retention policy to determine when data should be retained and how it should be disposed of, when appropriate.

Attribute

Status 
Database CPU monitoring
Active
Database read I/O monitoring
Active
Database free storage space monitoring
Active
Data retention policy
Active

Passwords

Password Rules


The System enforces password requirements that meet or exceed NIST Password Guidelines.

Passwords must be at least 16 characters long, or at least 8 characters long including a letter and a number.

Passwords cannot exceed 512 characters in length.

Attribute

Status 
Minimum password length if letter and number are included
8 characters
Minimum password length without character requirements
16 characters
Maximum password length
512 characters
Password Handling

The System does not store passwords in plain text. Passwords are stored as hashes and are encrypted at rest.

Passwords are not written to system logs.

The System uses the Bcrypt hashing function to generate password hashes, with a unique salt for each password.

The System limits the rate of password attempts at multiple levels, including per IP address, per user, and at the system-wide level.

Attribute

Status 
Password hashing function
Bcrypt
Password hashing cipher
Blowfish
Password salting
Unique per password
Key stretching
Included
Brute force attack resistance
Active
Preimage attack resistance
Active
Timing attack resistance
Active
Rainbow table attack resistance
Active
Log filtering
Active
Password hash encryption at rest
Active
Password Resets

The System provides secure, single-use, time-expiring password reset credentials when requested by a user.

Attribute

Status 
Password resets
Active
Reset link expiration
15 minutes
Reset link usage
Single use

Access Tokens

Token Signing

The System uses JWT access tokens signed with the RSA 256 algorithm, an asymmetric public key algorithm.

Token signing for the System exceeds the latest Commercial National Security Algorithm (CNSA) specifications for commercial cryptography, approved by the NSA to protect National Security Systems (NSS) up to the TOP SECRET level.

Attribute

Status 
Access token format
JSON Web Token (JWT)
Access token expiration
7 days
Token signing algorithm
RSA 256
Modulus size
4096-bit
Token signing type
Asymmetric / public key cryptography
Private Key Security

The System encrypts all private signing keys at rest, such that theft of the database would not expose private signing key information.

Private signing keys are further encrypted using column-level encryption. This means that an active database connection also does not expose private signing key information.

Attribute

Status 
Private signing keys encrypted at rest
Active
Private signing keys encrypted at column level
Active
Private signing keys not accessible over network connection
Active
Token Refresh

The System uses refresh tokens in conjunction with access tokens. Refresh tokens allow for shorter-lived access tokens, which improves security.

Attribute

Status 
Refresh token expiration
30 days

Browser Security

JWT Access Token Storage

When logged into this application via a web browser, a user's JWT access token is stored as a cookie.

This cookie is only sent with encrypted requests (HTTPS) to this application's originating website.

Attribute

Status 
Secure
true
SameSite
Lax
HttpOnly
false
Expires / Max-Age
7 days
Refresh Token Storage

When logged into this application via a web browser, a user's refresh token is stored as a cookie.

This cookie is only sent with encrypted requests (HTTPS) to this application's originating website.

Attribute

Status 
Secure
true
SameSite
Strict
HttpOnly
false
Expires / Max-Age
30 days

Compliance

SOC 2

This application uses Userfront for authentication and access control. Userfront is SOC 2 certified and was last audited by Ernst & Young on December 31, 2023.

SOC 2 controls are further continuously monitored by Drata, with daily reporting on the status of all controls.

Attribute

Status 
SOC 2 certification
Active
SOC 2 monitoring
Active
SOC 2 auditor
Ernst & Young
SOC 2 monitor
Drata
SOC 2 scope
Security, Availability, Confidentiality
SOC 2 audit date
March 1, 2022

5 More

See Full Report.

Security & transparency

Security can be hard to get right.

Userfront keeps your application secure and lets you get back to business.