Your data isn’t for sale. We encrypt sensitive data before storing it, and only decrypt it on our servers when you need it to use Oath.
At Oath, we handle your personal data like it is our own - with extreme care and safety. We also know that it is a liability, because although encryption reduces risk, no system is 100% impenetrable. Therefore, we collect less of it, protect it with encryption, and make it useless to attackers in the worst case scenario (a database leak).
To prevent data leaks, we’ve studied and learned from the biggest breaches on the internet. And we’ve learned 3 things:
- Plan ahead of time with policies and systems
- Secure access to only people who need it
- Constantly monitor and evolve security
Our policies and systems
This is the foundation of our security ethos.
We are never going to sell your data to anyone. Although this is a profitable business venture for many tech companies, we believe it is an invasion of privacy and individual liberties.
You have complete and explicit control over any personal data shared. Want it deleted, use your GDPR rights. See more: Privacy Policy
Multiple layers of encryption:
Encryption is the process of obfuscating information to make it unreadable by others unless you have a key to decrypt (read) it. We encrypt your data, and hide the key.
- In transit: HTTPS/TLS
- At rest: AES-256 on our infrastructure (strong storage encryption)
- Sensitive fields: encrypted before storage, so raw database access doesn’t reveal them
Fully Owned Identity Verification
We run self-hosted servers for identity verification in our own VPC and fully-encrypt all facial maps.
Secure access only
Most data leaks occur because someone who didn’t understand security had access to the wrong things. We’re not like that.
Least privileged access
All access to data is time-bound, logged, and monitored; and only a small number of individuals can deploy to our production systems.
Strong Multi Factor Authentication
All of our access to production systems require multi-factor-authentication and biometric verification. Everyone with access is highly trained in security, phishing, and fraud.
Keys separate from data
The encryption keys are secured by the AWS KMS and key rotation system. This provides access separation of the keys from the database.
Decryption only happens on the server
Protected data is only decrypted on the app server when it is needed by you. It is never accessible by an employee. All encrypted data stays obfuscated in the database.
Continuous monitoring and testing
We’re always upgrading and improving our security and data protection systems.
Logging and anomaly detection
We track our systems to ensure nothing out of the ordinary is occurring.
Regular vulnerability testing and patching
We’re constantly looking through our app, infrastructure, and dependencies for issues.
Operational discipline
We thoroughly test new deployments and review code for issues before we ship to production.
3rd party security testing
We hire professional ethical hackers to analyze and probe for vulnerabilities. We offer rewards for finding vulnerabilities, and are constantly making our system more secure.
Summary
In conclusion, Oath takes a multi-layered comprehensive approach to protecting your data. As little sensitive data as possible is stored, and the rest is encrypted across the lifecycle. Access is restricted to a small number of authorized personnel, protected by strong MFA, and routinely audited. And lastly, with regular third-party security testing and vulnerability reviews, we proactively fend-off threats.
Want more details? Check out our Privacy Policy to look at specifics around data collection, retention, and deletion.