Security

As the enterprise ready webhooks service, security is baked into everything we do. We follow stricter security protocols than industry best practices and have a strong security posture, to ensure that our customers never need to worry about security and compliance.

Compliance

Svix undergoes an annual SOC 2 Type II audit of our product, infrastructure, and policies, done by a third party auditor; a HIPAA attestation by a third party; a PCI-DSS attestation; and is GDPR and CCPA compliant. Svix also lets its customers choose which region they operate in to comply with data locality regulations.

SOC2 CertificationHIPAA CompliantPCI-DSS CompliantPIPEDA CompliantGDPR ReadyCCPA Ready

Data Protection

Protecting customer data is a top priority at Svix. We implement robust security measures to ensure that data is encrypted, securely transmitted, and safely backed up. Our approach is designed to maintain confidentiality, integrity, and availability across all stages of data handling.

Data at Rest

Data persisted by the Svix service is encrypted at rest using 256-bit AES. Encryption keys are stored using Hardware Security Modules (HSMs) with prevents direct access by any individuals including Svix and cloud provider employees.

Data in Transit

All communications between customers and the Svix APIs and web applications are secured using TLS 1.2 or TLS 1.3. Additionally, encryption is employed for all communication between internal Svix services as well as external.

Data Backups

Svix performs full weekly backups as well as point-in-time-recovery to ensure data integrity with minimal RPO. Backups are encrypted, stored off-site, with backup recovery tests being performed annually.

Access to systems and data

The Svix team has no access to production systems, networks, and data, not even through a VPN. Code and infrastructure changes go through strict code review and are deployed automatically once approved by team members and passing the appropriate tests and checks.

Product Security

We design our products with security at the core, employing industry best practices throughout the development lifecycle. From secure coding standards to rigorous code reviews and automated testing, our goal is to ensure that every feature we build meets high standards for confidentiality, integrity, and availability. We also enforce strong access controls and data encryption to protect sensitive information at all times.

Penetration Testing

We design our products with security at the core, employing industry best practices throughout the development lifecycle. From secure coding standards to rigorous code reviews and automated testing, our goal is to ensure that every feature we build meets high standards for confidentiality, integrity, and availability. We also enforce strong access controls and data encryption to protect sensitive information at all times.

Vulnerability Scanning

We utilize automated vulnerability scanning tools to continuously monitor our infrastructure, applications, and dependencies for known security flaws. These scans run on a regular schedule and are supplemented by manual reviews to ensure accuracy. Detected vulnerabilities are triaged and resolved in accordance with our internal security policies and response timelines.

Customer Security Features

We provide a range of built-in features to help our customers maintain strong security standards within their own organizations. These include support for Single Sign-On (SSO), role-based access control, and detailed audit logs to track user actions across the platform. By giving teams visibility and control, we help ensure that only the right people have access to the right resources at the right time. These tools are designed to integrate easily into your existing security processes and help you meet internal compliance requirements.

Data Privacy

At Svix, we take data privacy seriously and are committed to handling customer data with care and transparency. We're trusted by teams operating in some of the most regulated and privacy-sensitive industries around the world.

Our practices are designed to align with global privacy standards, ensuring that data is collected, processed, and stored in a way that respects user rights and complies with applicable regulations.

Regional Data Residency

Svix environments are available in a variety of geographical regions in order to satisfy data residency requirements (such as the US, European Union, Australia, Canada).

Contact

If you have any questions about the Svix security and compliance practices, or would like a copy of our reports, please contact us at security@svix.com.