Introducing White-Label App: Embed banking and lending with one line of code. Learn more.

People and infrastructure you can trust

Unit is certified SOC 2 Type II and PCI DSS Level 1 compliant. We deploy best-in-class practices and tools to maintain security on all levels: infrastructure, product, and within our company. Startups, leading brands, and public companies all trust Unit.

Build securely with a trusted partner

Security within Unit

Authentication and authorization
Unit maintains strict role-based access control across all our internal and external systems. Access to all critical services requires SSO or multi-factor authentication where available.
External audits
Unit conducts an annual independent audit of policies and procedures, including: Information Security Policy, Third-Party Risk Management Policy, Business Continuity Policy, Incident Response Policy, and End-User Data and Privacy Policy.
Risk assessment
Unit conducts regular risk assessments to gain an accurate and thorough understanding of the potential risks to security, availability, and privacy in our products and services.
Penetration tests
We engage with trusted third parties to complete network and application vulnerability scans at least once annually.
Vulnerability scans
Unit performs internal vulnerability scans continuously to identify, prioritize, and remediate potential system vulnerabilities.
Third-party risk management
Unit implements board-governed third-party management policies and procedures. This helps us ensure protection of assets and data that are accessible by vendors, and to establish standards for information security and service delivery from vendors.
Background checks
Unit conducts background checks on all applicants selected for full-time employment.
Training
All Unit employees are required to complete security training annually.

Infrastructure security

Privacy
Unit is committed to compliance with all applicable financial and data privacy laws.
External audits
Unit conducts an annual external independent audit — penetration testing, vulnerability scans, and information security.
Audit logs
Unit collects audit trails, covering every write operation in Unit’s ecosystem.
Data encryption
Unit encrypts all data, both at rest (AES-256-GCM) and in transit (TLS 1.2).
Segmentation
Unit’s AWS environments - production and sandbox - are fully segregated.
Network
Unit uses AWS Security Groups to filter inbound traffic. Outbound traffic is only allowed for known IPs.

Product security

API token scopes
Each API token at Unit is limited in scope, ensuring that it can access only certain resources, and can perform only certain operations on them (read/write).
Customer tokens
Customer tokens restrict API resources to only what is enabled for a specific customer, and limit token exposure to individual customers. They include built-in Two Factor Authentication (OTP) and customizable expiry that your systems can rely on.
API token expiration
API tokens are set to automatically expire in one year. Unit lets you customize expiration dates to enforce stricter security policies in your organization.
SSO
The Unit Dashboard supports the industry-standard SAML 2.0 protocol, to help you authenticate your users using an external identity provider.
Roles and permissions
The Unit Dashboard includes built-in roles and permissions for your team members. This ensures that access to information on a need-to-know basis only.
Sensitive data bypass
Display sensitive customer data, without any of it passing through your systems, offloading the need for PCI compliance to share it.
Sensitive data restriction
Sensitive data, such as full card numbers, are not available to be displayed in the Dashboard unless your company is PCI certified.

Availability

Redundancy
Unit ensures active-active availability, improving recovery times and providing access to second availability zones.
Backups
We backup all production data and all backups are geo-replicate backups within the same judicial data boundary.
Monitoring
We continuously monitor the platform and post real-time updates to our public status page.
Business continuity
We have documented and implemented a business continuity plan that we activate and follow in the event of disruptions. We test our business continuity plan at least once annually, using different real world scenarios.

Reporting a Security Bug

Unit encourages everyone to follow responsible disclosure procedures when reporting security issues that surround our products, services, websites, or infrastructure. We are committed to engaging with anyone reporting security vulnerabilities in a positive, professional, mutually beneficial manner that protects our customers. To report a security bug, please contact us at security@unit.co.

Bring financial features to life and start building — today

Chat with an expert