Secure infrastructure for world-class products
We’re trusted to onboard millions of users to their favorite products. We sweat the details so you can operate securely.
Battle-tested and retested
A secure stack must be designed for failures. Privy works with security experts to review and threat model all systems and infrastructure. Our infrastructure has gone through several rounds of security reviews and pentests, and we undergo these reviews on a regular basis to surface and address new issues.
Self-custodial architecture
Whether they connect with third-party wallets or leverage embedded wallets, your users’ keys are their own. All Privy architecture is designed to be self-custodial, meaning only your user can access their private keys, and they must always be present to take action with their assets.
Built on a secure cloud
Privy leverages best-in-class infrastructure to secure all user data. We run on Amazon Web Services (AWS). All data is encrypted at rest via AES-256-GCM and transferred encrypted using HTTPS/TLS 1.2. We leverage modern key management systems to encrypt and tokenize sensitive information so it can only be accessed by authorized parties.
Defense in depth
All engineering is security engineering at Privy. We build layered security measures into our product, infrastructure, and operational work. Product and architecture design starts with threat modeling all systems and infrastructure - we set security requirements hand-in-hand with product requirements. In our implementation, we maintain strict review, CI/CD, and isolate access to data by least-privilege.
Product Overview
Product security
Read more about how Privy works. Audits available to enquiring customers.
Secure authentication
Privy leverages industry best practices around secure authentication. We verify accounts with short-lived one-time codes enforcing rate limits, and request origins. Access tokens are JWTs signed by Ed25519 keys specific to your app.
Data access and encryption
All traffic is encrypted with TLS >= 1.2 and HSTS and is routed through Cloudflare. Services are run in private VPCs on AWS. All API requests must be authenticated with an API secret.
Key management
At wallet creation, an isolated iframe generates a keypair with 128 bits of entropy chosen at random using a CSPRNG, and converting these via BIP-39. Private keys are split using Shamir’s Secret Sharing. The full private key is never persisted anywhere so only the user can access it.
Progressive defenses
We know wallets are not one-size-fits-all. We set strong standards and enable users to upgrade systems to match their needs. Users can layer on defenses like linking additional sign-in methods and adding auth and transaction MFA to their accounts as their assets grow in value.
We want to work with security researchers
Think you’ve found something? We’d like to hear from you. Want to get access to our BBP? Reach out to [email protected] for an invite.
Enterprise-Grade
Ask us about our audits
Security is a constantly-moving target. This means establishing and examining our threat models across operational security, infrastructure, cryptography and application security on an ongoing basis.
Privy works with internal stakeholders, advisors and third-party auditors and pentesters on our security posture. Our work here is never done and we are continually improving our systems to meet an evolving threat landscape.
Cryptography audit
February 2023
Cryptography audit
June 2023
Infrastructure Audit
August 2023
Soc 2 Attestation
September 2023
Pentest
December 2023
Infrastructure Audit
February 2024
