Unit is certified SOC 2 Type II and PCI DSS Level 1 compliant. We deploy best-in-class practices and tools to maintain security on all levels: infrastructure, product, and within our company. Startups, leading brands, and public companies all trust Unit.
Company
Security within Unit
Authentication and authorization
Unit maintains strict role-based access control across all our internal and external systems. Access to all critical services requires SSO or multi-factor authentication where available.
External audits
Unit conducts an annual independent audit of policies and procedures, including: Information Security Policy, Third-Party Risk Management Policy, Business Continuity Policy, Incident Response Policy, and End-User Data and Privacy Policy.
Risk assessment
Unit conducts regular risk assessments to gain an accurate and thorough understanding of the potential risks to security, availability, and privacy in our products and services.
Penetration tests
We engage with trusted third parties to complete network and application vulnerability scans at least once annually.
Vulnerability scans
Unit performs internal vulnerability scans continuously to identify, prioritize, and remediate potential system vulnerabilities.
Third-party risk management
Unit implements board-governed third-party management policies and procedures. This helps us ensure protection of assets and data that are accessible by vendors, and to establish standards for information security and service delivery from vendors.
Background checks
Unit conducts background checks on all applicants selected for full-time employment.
Training
All Unit employees are required to complete security training annually.
Infrastructure
Infrastructure security
Privacy
Unit is committed to compliance with all applicable financial and data privacy laws.
External audits
Unit conducts an annual external independent audit — penetration testing, vulnerability scans, and information security.
Audit logs
Unit collects audit trails, covering every write operation in Unit’s ecosystem.
Data encryption
Unit encrypts all data, both at rest (AES-256-GCM) and in transit (TLS 1.2).
Segmentation
Unit’s AWS environments - production and sandbox - are fully segregated.
Network
Unit uses AWS Security Groups to filter inbound traffic. Outbound traffic is only allowed for known IPs.
Product
Product security
API token scopes
Each API token at Unit is limited in scope, ensuring that it can access only certain resources, and can perform only certain operations on them (read/write).
Customer tokens
Customer tokens restrict API resources to only what is enabled for a specific customer, and limit token exposure to individual customers. They include built-in Two Factor Authentication (OTP) and customizable expiry that your systems can rely on.
API token expiration
API tokens are set to automatically expire in one year. Unit lets you customize expiration dates to enforce stricter security policies in your organization.
SSO
The Unit Dashboard supports the industry-standard SAML 2.0 protocol, to help you authenticate your users using an external identity provider.
Roles and permissions
The Unit Dashboard includes built-in roles and permissions for your team members. This ensures that access to information on a need-to-know basis only.
Sensitive data bypass
Display sensitive customer data, without any of it passing through your systems, offloading the need for PCI compliance to share it.
Sensitive data restriction
Sensitive data, such as full card numbers, are not available to be displayed in the Dashboard unless your company is PCI certified.
Availability
Availability
Redundancy
Unit ensures active-active availability, improving recovery times and providing access to second availability zones.
Backups
We backup all production data and all backups are geo-replicate backups within the same judicial data boundary.
Monitoring
We continuously monitor the platform and post real-time updates to our public status page.
Business continuity
We have documented and implemented a business continuity plan that we activate and follow in the event of disruptions. We test our business continuity plan at least once annually, using different real world scenarios.
Bring financial features to life and start building — today
Thank you!
We have received your request and will process it as soon as possible.
Oops! Something went wrong while submitting the form.