Security at Fidel80

Enterprise-grade security protecting sensitive identity data with military-level encryption, continuous monitoring, and compliance with the world's strictest data protection standards.

Our Security Framework

Security isn't just a feature at Fidel80—it's the foundation of everything we do. We handle some of the most sensitive personal information, and we take that responsibility seriously. Our multi-layered security approach ensures your data is protected at every stage.

End-to-End Encryption

All data is encrypted in transit using TLS 1.3 and at rest using AES-256 encryption. Your verification data is encrypted before it ever reaches our servers.

Secure Data Centers

Data is stored in SOC 2 Type II certified data centers with physical security, biometric access controls, and 24/7 monitoring.

Access Control

Role-based access controls with multi-factor authentication, IP whitelisting, and API key rotation ensure only authorized users can access systems.

Continuous Monitoring

Real-time threat detection, intrusion prevention systems, and automated anomaly detection protect against unauthorized access attempts.

Data Protection Measures

Encryption Standards

  • Data in Transit

    TLS 1.3 with perfect forward secrecy for all API communications

  • Data at Rest

    AES-256 encryption with hardware security modules (HSM) for key management

  • Database Encryption

    Field-level encryption for sensitive PII with separate encryption keys

  • Backup Encryption

    All backups encrypted with independent keys stored in secure vaults

Data Segregation

Each client's data is logically separated and encrypted with unique keys. We use database-level isolation to ensure that one client's data cannot be accessed by another client, even in the event of an application-level vulnerability.

Data Retention & Deletion

We retain verification data only as long as necessary for compliance and legal requirements. Data is automatically purged after the retention period, and secure deletion methods ensure data cannot be recovered. Clients can request immediate data deletion subject to legal obligations.

Infrastructure Security

Network Security

  • Dedicated Virtual Private Cloud (VPC) with network segmentation
  • Web Application Firewall (WAF) protecting against OWASP Top 10 vulnerabilities
  • DDoS protection with automatic mitigation
  • Intrusion Detection and Prevention Systems (IDS/IPS)
  • Regular vulnerability scanning and penetration testing

Application Security

  • Secure Software Development Lifecycle (SSDLC)
  • Regular code reviews and static application security testing (SAST)
  • Dynamic application security testing (DAST)
  • Dependency scanning for vulnerable libraries
  • Bug bounty program with responsible disclosure

API Security

  • OAuth 2.0 and API key authentication
  • Rate limiting to prevent abuse
  • Request signing to prevent tampering
  • IP whitelisting for production environments
  • Comprehensive API audit logging

Security Certifications

SOC 2 Type II

Annual audits verify our security, availability, processing integrity, confidentiality, and privacy controls.

ISO 27001

Information Security Management System certification demonstrating systematic approach to managing sensitive information.

PCI DSS Level 1

Payment Card Industry Data Security Standard compliance for handling payment information securely.

NIST Framework

Aligned with NIST Cybersecurity Framework for comprehensive risk management and security controls.

Incident Response

24/7 Security Operations Center

Our dedicated security team monitors systems around the clock, ready to respond to any security incidents. We maintain a comprehensive incident response plan that includes:

  • Immediate containment and analysis of security events
  • Client notification within 24 hours of confirmed breaches
  • Forensic investigation and root cause analysis
  • Remediation and prevention of future incidents
  • Regular incident response drills and tabletop exercises

Employee Security Practices

Our people are our first line of defense. All employees undergo:

  • Background checks and security clearances before hiring
  • Mandatory security awareness training on joining and annually
  • Regular phishing simulation exercises
  • Strict access control policies with least-privilege principles
  • Confidentiality and non-disclosure agreements
  • Secure device policies with full-disk encryption and remote wipe capabilities

Third-Party Vendor Security

We carefully vet all third-party vendors and service providers who have access to our systems or data. Vendors must meet our security standards, undergo regular audits, and sign comprehensive data processing agreements. We maintain a vendor risk management program to continuously monitor third-party security posture.

Report a Security Issue

We take security reports seriously and appreciate responsible disclosure. If you've discovered a security vulnerability, please report it to us immediately.

Security Team: security@fidel80.com
PGP Key: Available on request
Bug Bounty Program: hackerone.com/fidel80