Data security

Array has been audited by a PCI-certified auditor and is certified as PCI Service Provider Level 1. This is the most stringent level of certification available in the financial industry. We are audited for and meet or exceed the data security requirements set by our partners and the industry for the transmission and storage of regulated data.

Contents

1. Deployment
2. Data safety

Deployment

Leverage our platform and ship today. Build on top of our secure platform and benefit from our investments and experience in operating an audited PCI Level 1 Service Provider environment.

Our embedded tools and white label platform transmit personal identifying information directly to user devices, keeping you out of scope from costly and time-consuming audits. Ship your solution today, not in weeks or months.

Step 1: Order

Our white label and embedded tools collect user information directly from their devices and pass securely to our API. All data is encrypted while transmitted.

Step 2: Secure tokenization

Every order with personally identifiable or sensitive data uses a secure tokenization system. The user’s device is fingerprinted and provided a unique key and secure token.

Step 3: Delivery

The user’s device downloads the data directly from our API using the unique key and secure token. Every attempt to download the data is logged and audited. Your server never accesses the personal information or data, keeping you out of scope for compliance audits.

Data safety

PCI Level 1 infrastructure

PCI requires us to monitor, log and audit all access to confidential and sensitive data. Beyond that, we have additional controls for storing and retrieving data both when accessed by our applications and services and for our infrastructure teams managing the environments.

Some examples of data security controls include:

• Automatic alerts and alarms regularly monitor for specific events that occur in the environment.
• Systems containing sensitive data can only be accessed by named individuals who have been cleared by background checks and undergone security training.
• Stringent external and internal firewalls and isolation of networks and systems containing cardholder data.
• Long term log collection and storage of all data access, system and network events and personnel access changes.
• Strong network security for our employees and contractors, including virtual private networks and multi-factor authentication.
• Monthly and quarterly audits by our network security and infrastructure teams of all network settings and configurations to validate compliance.
• Information security policies, procedures and training for all employees regarding data security, data access, data storage, etc.

We are audited yearly on our ability to collect and transmit sensitive data such as cardholder data securely. We perform regular testing of both our internal and external networks to comply with these requirements. The annual audits and validation of our PCI compliance are conducted by third-party external auditors certified by the PCI standards council.

Data transmission

Array uses only the latest PCI compliant TLS/SSL settings for all public and private network communications. This includes our websites, applications, embedded tools, API's and white label platform.

As of October 2020, we currently require TLS 1.2+ using RSA 4096 (SHA256) for all SSL traffic.

Array's embedded tools and white label platform using our embedded tools connect directly to the Array API's from user devices. No personal, sensitive or regulated data travels through the web servers and web sites hosting our embedded tools. See our data compliance page on how our software architecture and design protect our customers from complex PCI and regulatory requirements. We implement and require the latest browser security capabilities such as HSTS (HTTP Strict Transport Security) to exceed minimum requirements for PCI. Our external websites are audited monthly for compliance with the latest browser, website and web application security trends.

Secure data storage

All personal, sensitive and regulated data, including credit data and payment processing data, is stored encrypted at rest using AES-256. Decryption keys are held on separate machines on isolated networks with stringent requirements to access and manage those systems. Such systems have no direct external network access and validated regularly as part of our PCI compliance audits.

FCRA and regulated data

Laws and regulations concerning sensitive personnel credit data and partnership and vendor agreements require us to comply or exceed all PCI requirements for the handling of this data. Our partners, including the three major credit bureaus in the United States, audit us for compliance with these regulations and their information-sharing and security policies.

Vulnerability disclosure and reward program

Our network security and compliance teams investigate all reported security issues. If you believe you have discovered a bug in Array's security, please contact us at security@array.io. We will respond to your report in a very timely manner as data security is our highest priority. We ask that you not publicly disclose such issues until we have addressed it.

We recognize security research is challenging and time-consuming, and we appreciate those who wish to help us keep our users and clients safe. We operate a reward program for the responsible disclosure of vulnerabilities and security issues. We will reward any researcher who confidentially disclosed a design or implementation issue that can compromise our systems or impact our data integrity. We will adjust the value of the rewards based on the nature and scope of the vulnerabilities reported. If the vulnerability is capable of compromising sensitive information, it will be eligible for a prize. We will often choose to reward researchers even if a vulnerability was not accepted or validated if it led to any actions to improve our security.

There are some restrictions to this program:

• We will only reward the first security researcher for disclosing a vulnerability or bug to us responsibly.
• We may cancel this program at any time.
• You will be ineligible for a reward and any future rewards if you publicly disclose the vulnerabilities or bugs before we respond, validate and rectify the vulnerability.
• You must not violate any laws in your efforts to conduct security research on our systems.
• You’re ineligible to participate in this program if you’re a resident of any U.S. embargoed jurisdiction, including but not limited to Iran, North Korea, Cuba, the Crimea region and Syria, or if you’re on the U.S. Treasury Department’s list of Specially Designated Nationals or the U.S. Department of Commerce Denied Person’s List or Entity List. By participating in the program, you represent and warrant that you’re not located in any such country or on any such list.