Sora has been acquired by CLEAR! Learn more

Security at Sora

Sora ID takes measures to secure our service as well as protect the personal information we collect. Some of the controls we have in place are outlined below.

Data Security

We tokenize SPII (Sensitive Personal Identifiable Information) within our systems using VGS. Highly sensitive fields like SSNs are never handled in plaintext within our systems, and user data is encrypted both at rest and in transit.

Application Security

We undergo regular penetration tests, performed by 3rd party application security experts, that evaluate the safety of our product. We also use a variety of tools and scanners to locate and remediate vulnerabilities in our systems.

Infrastructure Security

Sora runs on Google Cloud Platform (GCP). We use many of GCP's built-in security features to secure our systems, such as Google’s Secret Manager, Key Management System, and Web Application Firewall.


We leverage the WebAuthn protocol to create a biometric device-based credential for authentication, if this is supported by a user’s device. When this is not possible, we instead rely on multi-factor authentication, using either phone or email OTPs.


Enterprise-level security and compliance

Responsible Disclosure

Data security is one of Sora ID’s top priorities, and we believe that working with skilled security researchers can help us identify weaknesses in our technology. If you believe you’ve found a security vulnerability in our service, please notify us. We will work with you to resolve the issue promptly.

Disclosure Policy

  • If you believe you’ve discovered a potential vulnerability, please let us know by emailing us at We will acknowledge your email within five business days.
  • Provide us with a reasonable amount of time to resolve the issue before disclosing it to the public or a third party. We aim to resolve critical issues within five business days of disclosure. Please also provide sufficient information to reproduce the problem.
  • Make a good faith effort to avoid violating privacy, destroying data, or interrupting or degrading the Sora ID service. Please only interact with accounts you own or for which you have explicit permission from the account holder. Please do not take advantage of the vulnerability to download more data than necessary to demonstrate the vulnerability, for example, and please do not delete or modify other people’s data.
  • If you follow the instructions outlined here, we will not take any legal action against you and we will handle your vulnerability report with strict confidentiality. In the public information concerning the problem reported, we will give your name as the discoverer of the issue (unless you desire otherwise).


While researching, we’d like you to refrain from:

Thank you for helping to keep Sora ID and our users safe!