We're excited to announce our $18M Series A, led by Paradigm →

Secure infrastructure for world-class products

We’re trusted to onboard millions of users to their favorite products. We sweat the details so you can operate securely.

lock image
Independently Audited

Battle-tested and retested

A secure stack must be designed for failures. Privy works with security experts to review and threat model all systems and infrastructure. Our infrastructure has gone through several rounds of security reviews and pentests, and we undergo these reviews on a regular basis to surface and address new issues.

Designed For User Control

Self-custodial architecture

Whether they connect with third-party wallets or leverage embedded wallets, your users’ keys are their own. All Privy architecture is designed to be self-custodial, meaning only your user can access their private keys, and they must always be present to take action with their assets.

Robust Infrastructure

Built on a secure cloud

Privy leverages best-in-class infrastructure to secure all user data. We run on Amazon Web Services (AWS). All data is encrypted at rest via AES-256-GCM and transferred encrypted using HTTPS/TLS 1.2. We leverage modern key management systems to encrypt and tokenize sensitive information so it can only be accessed by authorized parties.

OPSEC Included

Defense in depth

All engineering is security engineering at Privy. We build layered security measures into our product, infrastructure, and operational work. Product and architecture design starts with threat modeling all systems and infrastructure - we set security requirements hand-in-hand with product requirements. In our implementation, we maintain strict review, CI/CD, and isolate access to data by least-privilege.

Product Overview

Product security

Read more about how Privy works. Audits available to enquiring customers.

Secure authentication

Privy leverages industry best practices around secure authentication. We verify accounts with short-lived one-time codes enforcing rate limits, and request origins. Access tokens are JWTs signed by Ed25519 keys specific to your app.

Data access and encryption

All traffic is encrypted with TLS >= 1.2 and HSTS and is routed through Cloudflare. Services are run in private VPCs on AWS. All API requests must be authenticated with an API secret.

Key management

At wallet creation, an isolated iframe generates a keypair with 128 bits of entropy chosen at random using a CSPRNG, and converting these via BIP-39. Private keys are split using Shamir’s Secret Sharing. The full private key is never persisted anywhere so only the user can access it.

Progressive defenses

We know wallets are not one-size-fits-all. We set strong standards and enable users to upgrade systems to match their needs. Users can layer on defenses like linking additional sign-in methods and adding auth and transaction MFA to their accounts as their assets grow in value.

Vulnerability Disclosure

We Want to Work with Security Researchers

Think you’ve found something? We’d like to hear from you.

Submit a Vulnerability Report

Enterprise-Grade

Ask us about our audits

Security is a constantly-moving target. This means establishing and examining our threat models across operational security, infrastructure, cryptography and application security on an ongoing basis.

Privy works with internal stakeholders, advisors and third-party auditors and pentesters on our security posture. Our work here is never done and we are continually improving our systems to meet an evolving threat landscape.

Cure53 logo
Cure53

Cryptography audit

February 2023

Status: Complete
Zellic logo
Zellic

Cryptography audit

June 2023

Status: Complete
iVision logo
iVision

Pentest

August 2023

Status: In progress
SOC 2 Type II logo
SOC 2 Type II

Soc 2 Attestation

September 2023

Status: In progress
Backed by
  • Paradigm
  • Sequoia
  • BlueYard
  • Electric Capital
  • Archetype
  • Protocol Labs
And many more