As the enterprise ready webhooks service, security is baked into everything we do. We follow stricter security protocols than industry best practices and have a strong security posture, to ensure that our customers never need to worry about security and compliance.
All communications between customers and the Svix APIs and web applications are secured using TLS 1.2 or TLS 1.3. Encryption is also employed for all communication between internal Svix services as well as external.
Data persisted by the Svix service is encrypted at rest using 256-bit AES.
Svix utilizes API token authentication for API access. API tokens can be safely rotated with a configurable expiry period to ensure operational continuity even when API keys are suspected to be compromised.
For access to the Svix dashboard, Svix uses short-lived JWT tokens so that even if leaked, they will have limited value.
The Svix team has no access to production systems and data, not even through a VPN. Code and infrastructure changes go through strict code review and are deployed automatically once approved by team members and passing the appropriate tests and checks.
Svix has processes and policies in place to ensure the business continuity of its systems and operational. Production systems all have redundancies, and are configured for automatic failover and automatic scaling. The Svix team undergoes yearly business continuity training, and disaster recovery practice.
Svix has completed a third-party SOC 2 Type I audit of our product, infrastructure, and policies, and is currently undergoing the audit for SOC 2 Type II. Svix is GDPR compliant, and lets its customers choose which region they operate in to ensure data locality.
Svix undergoes yearly penetration tests using a third party firm, and employs automatic code and network security scanners that continuously verify the security of its code, servers, and networks.
If you have any questions about the Svix security and compliance practices, please contact us at firstname.lastname@example.org.