Platform Security
Last updated September 24, 2024
Developers using Convex are entrusting us with their most important
assets—their users' data. Accordingly, security is of the utmost
importance to our team.
Practices
- All customer data (source code, databases, file storage, search indexes) are
encrypted at rest using industry-standard 256-bit AES.
- All data in transit, both internally and externally, are encrypted using
standard algorithms like TLS and SSH.
- Each customer database is isolated with random and unique credentials.
- Convex utilizes audited access control management systems for granting
production access to limited and necessary personnel.
- All critical internal systems utilize MFA for account security.
- No customer project data are publicly accessible unless explicitly exposed by
customer-authored functions.
- Convex employs automated vulnerability scanning and intrusion detection within
its infrastructure.
- Our platform conducts third party penetration tests at least annually.
- Third party systems Convex uses for platform services are audited at least
annually for SOC 2 Type II compliance.
- Convex uses Stripe, a certified PCI Service Provider Level 1, for payment
processing.
Compliance
Convex is SOC 2 Type I compliant, demonstrating our dedication to the highest security
and privacy standards for your data's safe management, ensuring robust protection
against unauthorized access and data breaches.
The Health Insurance Portability and Accountability Act (HIPAA) is a US federal law that was enacted in 1996 that requires the protection and confidential handling of protected health information (PHI) by covered entities such as healthcare providers, health plans, and healthcare clearinghouses, as well as their business associates. Provided businesses subject to HIPAA sign Convex’s Business Associate Agreement they may process PHI on the platform.
The General Data Protection Regulation (GDPR) is a comprehensive data protection law that governs the collection of and use of personal data of EU residents, and that allows data subjects to exercise control over their data. Convex complies with the GDPR in the delivery of our service to our customers and monitors our privacy program to ensure continuous compliance.
Convex is hosted on AWS, which is certified for SOC 2 Type II, ISO 9001, GDPR,
HIPAA, FedRamp, and numerous other standards.
Vulnerability Disclosure Policy
If you believe you've discovered a bug in Convex's security, please get in touch
at security@convex.dev and we'll get back to you
within 24 hours. We request that you not publicly disclose the issue until we
have had a chance to address it.
