Unit is certified SOC 2 Type II and PCI DSS Level 1 compliant. We deploy best-in-class practices and tools to maintain security on all levels: infrastructure, product, and within our company. Startups, leading brands, and public companies all trust Unit.
Security within Unit
Authentication and authorization
Unit maintains strict role-based access control across all our internal and external systems. Access to all critical services requires SSO or multi-factor authentication where available.
Unit conducts regular risk assessments to gain an accurate and thorough understanding of the potential risks to security, availability, and privacy in our products and services.
We engage with trusted third parties to complete network and application vulnerability scans at least once annually.
Unit performs internal vulnerability scans continuously to identify, prioritize, and remediate potential system vulnerabilities.
Third-party risk management
Unit implements board-governed third-party management policies and procedures. This helps us ensure protection of assets and data that are accessible by vendors, and to establish standards for information security and service delivery from vendors.
Unit conducts background checks on all applicants selected for full-time employment.
All Unit employees are required to complete security training annually.
Unit is committed to compliance with all applicable financial and data privacy laws.
Unit conducts an annual external independent audit — penetration testing, vulnerability scans, and information security.
Unit collects audit trails, covering every write operation in Unit’s ecosystem.
Unit encrypts all data, both at rest (AES-256-GCM) and in transit (TLS 1.2).
Unit’s AWS environments - production and sandbox - are fully segregated.
Unit uses AWS Security Groups to filter inbound traffic. Outbound traffic is only allowed for known IPs.
API token scopes
Each API token at Unit is limited in scope, ensuring that it can access only certain resources, and can perform only certain operations on them (read/write).
Customer tokens restrict API resources to only what is enabled for a specific customer, and limit token exposure to individual customers. They include built-in Two Factor Authentication (OTP) and customizable expiry that your systems can rely on.
API token expiration
API tokens are set to automatically expire in one year. Unit lets you customize expiration dates to enforce stricter security policies in your organization.
The Unit Dashboard supports the industry-standard SAML 2.0 protocol, to help you authenticate your users using an external identity provider.
Roles and permissions
The Unit Dashboard includes built-in roles and permissions for your team members. This ensures that access to information on a need-to-know basis only.
Sensitive data bypass
Display sensitive customer data, without any of it passing through your systems, offloading the need for PCI compliance to share it.
Sensitive data restriction
Sensitive data, such as full card numbers, are not available to be displayed in the Dashboard unless your company is PCI certified.
Unit ensures active-active availability, improving recovery times and providing access to second availability zones.
We backup all production data and all backups are geo-replicate backups within the same judicial data boundary.
We continuously monitor the platform and post real-time updates to our public status page.
We have documented and implemented a business continuity plan that we activate and follow in the event of disruptions. We test our business continuity plan at least once annually, using different real world scenarios.
Bring financial features to life and start building — today
We have received your request and will process it as soon as possible.
Oops! Something went wrong while submitting the form.