We are utilizing the industry's best security practices with guidance from NIST and the latest Digital Authentication Guidelines.

Our application is continuously monitored for CVE, OSVDB, XSS, SQL injection and many other types of vulnerabilities using Snyk.

All PII is encrypted at rest with a symmetric key derived from the user's passphrase, using a NIST-approved algorithm that relies on a hardware security module (HSM).

Every assertion of PII (Personally Identifiable Information) is encrypted during transit using TLS (transmitted over HTTPS) and additionally using industry standard XML encryption at the application layer to further protect against pilfered payloads.

Our XML encryption approach uses the xmlenc gem with AES-256-CBC for the PII and RSA-OAEP-MGF1P for the key. The encrypted PII is signed with the Service Provider's public key.

We use Rack::Attack to throttle abusive requests and brute-force authentication attempts.

The application and server-level health and availability is monitored using New Relic and incident response is handled using PagerDuty.

We are currently implementing our own independent monitoring and transaction testing for accurate monitoring of system and key transaction health without relying on third parties.