Security at Sora
Sora ID takes measures to secure our service as well as protect the personal information we collect. Some of the controls we have in place are outlined below.
We tokenize SPII (Sensitive Personal Identifiable Information) within our systems using VGS, a 3rd party vendor. In addition, we encrypt all client data both at rest and in transit.
We undergo regular penetration tests, performed by 3rd party application security experts, that evaluate the safety of our product.
Sora runs on Google Cloud Platform (GCP). We use many of GCP’s built-in security features, such as Google’s Secret Manager, Key Management System, and Web Application Firewall. Sora is deployed as a containerized service on GCP, meaning that we typically do not need to manually manage servers or compute instances in production.
We leverage the WebAuthn protocol to create a biometric device-based credential for authentication, if this is supported by a user’s device. When this is not possible, we instead rely on multi-factor authentication, using either phone or email OTPs.
We are SOC2, GDPR, and CCPA compliant
We are SOC2, GDPR,
and CCPA compliant
Data security is one of Sora ID’s top priorities, and we believe that working with skilled security researchers can help us identify weaknesses in our technology. If you believe you’ve found a security vulnerability in our service, please notify us. We will work with you to resolve the issue promptly.
While researching, we’d like you to refrain from:
Thank you for helping to keep Sora ID and our users safe!