Your Data Is Protected at Every Layer
EthosVerify is built on AWS infrastructure with security controls at every level — from network to application to data. We follow industry best practices for encryption, access control, and monitoring.
HTTPS / TLS 1.3 Everywhere
All communication between your browser and EthosVerify servers is encrypted using TLS 1.3. We enforce HTTPS on all connections and use HSTS (HTTP Strict Transport Security) to prevent downgrade attacks. Our SSL/TLS certificates are issued by AWS Certificate Manager and automatically renewed.
Password Security
User passwords are hashed using bcrypt with unique per-user salts before storage. We never store passwords in plaintext. Password reset tokens are single-use, time-limited (1 hour), and cryptographically random. We enforce minimum password length of 8 characters and recommend passphrase-based passwords.
Data Encryption at Rest
All user data stored in our databases is encrypted at rest using AES-256 encryption. This includes personal information, verification documents, and account data. AWS Key Management Service (KMS) manages encryption keys with automatic rotation. Database backups are also encrypted.
Access Control & Authentication
We use role-based access control (RBAC) for all internal systems. Administrative access requires multi-factor authentication (MFA). API authentication uses unique, revokable API keys. Session tokens are short-lived and stored securely in HttpOnly, SameSite cookies.
Activity Monitoring & Alerts
We monitor for suspicious account activity including login attempts from new locations, rapid verification request patterns, and unusual API usage. Users receive automatic email alerts for logins from unrecognized devices or locations. Our operations team monitors system health 24/7.
Infrastructure Security
EthosVerify is hosted on Amazon Web Services (AWS) in the ap-southeast-1 (Singapore) region. We leverage AWS security services including VPC isolation, security groups, WAF (Web Application Firewall), and Shield for DDoS protection. All infrastructure changes go through code review and automated testing.
Regular Security Audits
We conduct quarterly internal security reviews and annual third-party penetration testing. Our codebase undergoes automated security scanning on every deployment. We follow OWASP Top 10 guidelines and maintain a responsible disclosure policy for security researchers.
Incident Response
We maintain a documented incident response plan. In the event of a security incident, affected users will be notified within 72 hours via email. We provide transparent post-incident reports. Contact privacy@ethosverifys.web.id to report security concerns.