Your Data Is Protected at Every Layer

EthosVerify is built on AWS infrastructure with security controls at every level — from network to application to data. We follow industry best practices for encryption, access control, and monitoring.

HTTPS / TLS 1.3 Everywhere

All communication between your browser and EthosVerify servers is encrypted using TLS 1.3. We enforce HTTPS on all connections and use HSTS (HTTP Strict Transport Security) to prevent downgrade attacks. Our SSL/TLS certificates are issued by AWS Certificate Manager and automatically renewed.

Password Security

User passwords are hashed using bcrypt with unique per-user salts before storage. We never store passwords in plaintext. Password reset tokens are single-use, time-limited (1 hour), and cryptographically random. We enforce minimum password length of 8 characters and recommend passphrase-based passwords.

Data Encryption at Rest

All user data stored in our databases is encrypted at rest using AES-256 encryption. This includes personal information, verification documents, and account data. AWS Key Management Service (KMS) manages encryption keys with automatic rotation. Database backups are also encrypted.

Access Control & Authentication

We use role-based access control (RBAC) for all internal systems. Administrative access requires multi-factor authentication (MFA). API authentication uses unique, revokable API keys. Session tokens are short-lived and stored securely in HttpOnly, SameSite cookies.

Activity Monitoring & Alerts

We monitor for suspicious account activity including login attempts from new locations, rapid verification request patterns, and unusual API usage. Users receive automatic email alerts for logins from unrecognized devices or locations. Our operations team monitors system health 24/7.

Infrastructure Security

EthosVerify is hosted on Amazon Web Services (AWS) in the ap-southeast-1 (Singapore) region. We leverage AWS security services including VPC isolation, security groups, WAF (Web Application Firewall), and Shield for DDoS protection. All infrastructure changes go through code review and automated testing.

Regular Security Audits

We conduct quarterly internal security reviews and annual third-party penetration testing. Our codebase undergoes automated security scanning on every deployment. We follow OWASP Top 10 guidelines and maintain a responsible disclosure policy for security researchers.

Incident Response

We maintain a documented incident response plan. In the event of a security incident, affected users will be notified within 72 hours via email. We provide transparent post-incident reports. Contact privacy@ethosverifys.web.id to report security concerns.

Compliance & Certifications

SOC 2 Type I

EthosVerify maintains SOC 2 Type I compliance covering the Security Trust Services Criteria. Our controls are designed to meet the AICPA's standards for security.

GDPR Ready

Our data processing practices, consent mechanisms, and data subject access request procedures are designed to meet GDPR requirements for both EU and non-EU data subjects.

AWS Well-Architected

Our infrastructure follows the AWS Well-Architected Framework across all five pillars: operational excellence, security, reliability, performance efficiency, and cost optimization.