Security at Sora

Sora ID takes measures to secure our service as well as protect the personal information we collect. Some of the controls we have in place are outlined below.


Data Security

We tokenize SPII (Sensitive Personal Identifiable Information) within our systems using VGS, a 3rd party vendor. In addition, we encrypt all client data both at rest and in transit.

Application Security

We undergo regular penetration tests, performed by 3rd party application security experts, that evaluate the safety of our product.

Infrastructure Security

Sora runs on Google Cloud Platform (GCP). We use many of GCP’s built-in security features, such as Google’s Secret Manager, Key Management System, and Web Application Firewall. Sora is deployed as a containerized service on GCP, meaning that we typically do not need to manually manage servers or compute instances in production.


We leverage the WebAuthn protocol to create a biometric device-based credential for authentication, if this is supported by a user’s device. When this is not possible, we instead rely on multi-factor authentication, using either phone or email OTPs.

We are SOC2, GDPR, and CCPA compliant

We are SOC2, GDPR,
and CCPA compliant


Responsible Disclosure

Data security is one of Sora ID’s top priorities, and we believe that working with skilled security researchers can help us identify weaknesses in our technology. If you believe you’ve found a security vulnerability in our service, please notify us. We will work with you to resolve the issue promptly.

Disclosure Policy


While researching, we’d like you to refrain from:
Thank you for helping to keep Sora ID and our users safe!