Last updated Jan 19, 2024
Developers using Convex are entrusting us with their most imporant assets—their users' data. Accordingly, security is of the utmost importance to our team.
- All customer data (source code, databases, file storage, search indexes) are encrypted at rest using industry-standard 256-bit AES.
- All data in transit, both interally and externally, are encrypted using standard algorithms like TLS and SSH.
- Each customer database is isolated with random and unique credentials.
- Convex utilizes audited access control management systems for granting production access to limited and necessary personnel.
- All critical internal systems utilize MFA for account security.
- No customer project data are publicly accessible unless explicitly exposed by customer-authored functions.
- Convex employs automated vulerability scanning and intrusion detection within its infrastructure.
- Our platform conducts third party penetration tests at least annually.
- Third party systems Convex uses for platform services are audited at least annually for SOC 2 Type II compliance.
- Convex uses Stripe, a certified PCI Service Provider Level 1, for payment processing.
Convex is hosted on AWS, which is certified for SOC 2 Type II, ISO 9001, GDPR, HIPAA, FedRamp, and numerous other standards.
Vulnerability Disclosure Policy
If you believe you've discovered a bug in Convex's security, please get in touch at firstname.lastname@example.org and we'll get back to you within 24 hours. We request that you not publicly disclose the issue until we have had a chance to address it.