Platform Security

Last updated Jan 19, 2024

Developers using Convex are entrusting us with their most imporant assets—their users' data. Accordingly, security is of the utmost importance to our team.

Practices

  • All customer data (source code, databases, file storage, search indexes) are encrypted at rest using industry-standard 256-bit AES.
  • All data in transit, both interally and externally, are encrypted using standard algorithms like TLS and SSH.
  • Each customer database is isolated with random and unique credentials.
  • Convex utilizes audited access control management systems for granting production access to limited and necessary personnel.
  • All critical internal systems utilize MFA for account security.
  • No customer project data are publicly accessible unless explicitly exposed by customer-authored functions.
  • Convex employs automated vulerability scanning and intrusion detection within its infrastructure.
  • Our platform conducts third party penetration tests at least annually.
  • Third party systems Convex uses for platform services are audited at least annually for SOC 2 Type II compliance.
  • Convex uses Stripe, a certified PCI Service Provider Level 1, for payment processing.

Compliance

Convex is hosted on AWS, which is certified for SOC 2 Type II, ISO 9001, GDPR, HIPAA, FedRamp, and numerous other standards.

Vulnerability Disclosure Policy

If you believe you've discovered a bug in Convex's security, please get in touch at security@convex.dev and we'll get back to you within 24 hours. We request that you not publicly disclose the issue until we have had a chance to address it.