Array has been audited by a PCI-certified auditor and is certified as PCI Service Provider Level 1. This is the most stringent level of certification available in the financial industry. We are audited for and meet or exceed the data security requirements set by our partners and the industry for the transmission and storage of regulated data.
Leverage our platform and ship today. Build on top of our secure platform and benefit from our investments and experience in operating an audited PCI Level 1 Service Provider environment.
Our embedded tools and white label platform transmit personal identifying information directly to user devices, keeping you out of scope from costly and time-consuming audits. Ship your solution today, not in weeks or months.
Our white label and embedded tools collect user information directly from their devices and pass securely to our API. All data is encrypted while transmitted.
Every order with personally identifiable or sensitive data uses a secure tokenization system. The user’s device is fingerprinted and provided a unique key and secure token.
The user’s device downloads the data directly from our API using the unique key and secure token. Every attempt to download the data is logged and audited. Your server never accesses the personal information or data, keeping you out of scope for compliance audits.
PCI requires us to monitor, log and audit all access to confidential and sensitive data. Beyond that, we have additional controls for storing and retrieving data both when accessed by our applications and services and for our infrastructure teams managing the environments.
Some examples of data security controls include:
We are audited yearly on our ability to collect and transmit sensitive data such as cardholder data securely. We perform regular testing of both our internal and external networks to comply with these requirements. The annual audits and validation of our PCI compliance are conducted by third-party external auditors certified by the PCI standards council.
Array uses only the latest PCI compliant TLS/SSL settings for all public and private network communications. This includes our websites, applications, embedded tools, API's and white label platform.
As of October 2020, we currently require TLS 1.2+ using RSA 4096 (SHA256) for all SSL traffic.
Array's embedded tools and white label platform using our embedded tools connect directly to the Array API's from user devices. No personal, sensitive or regulated data travels through the web servers and web sites hosting our embedded tools. See our data compliance page on how our software architecture and design protect our customers from complex PCI and regulatory requirements. We implement and require the latest browser security capabilities such as HSTS (HTTP Strict Transport Security) to exceed minimum requirements for PCI. Our external websites are audited monthly for compliance with the latest browser, website and web application security trends.
All personal, sensitive and regulated data, including credit data and payment processing data, is stored encrypted at rest using AES-256. Decryption keys are held on separate machines on isolated networks with stringent requirements to access and manage those systems. Such systems have no direct external network access and validated regularly as part of our PCI compliance audits.
Laws and regulations concerning sensitive personnel credit data and partnership and vendor agreements require us to comply or exceed all PCI requirements for the handling of this data. Our partners, including the three major credit bureaus in the United States, audit us for compliance with these regulations and their information-sharing and security policies.
Our network security and compliance teams investigate all reported security issues. If you believe you have discovered a bug in Array's security, please contact us at security@array.io. We will respond to your report in a very timely manner as data security is our highest priority. We ask that you not publicly disclose such issues until we have addressed it.
We recognize security research is challenging and time-consuming, and we appreciate those who wish to help us keep our users and clients safe. We operate a reward program for the responsible disclosure of vulnerabilities and security issues. We will reward any researcher who confidentially disclosed a design or implementation issue that can compromise our systems or impact our data integrity. We will adjust the value of the rewards based on the nature and scope of the vulnerabilities reported. If the vulnerability is capable of compromising sensitive information, it will be eligible for a prize. We will often choose to reward researchers even if a vulnerability was not accepted or validated if it led to any actions to improve our security.
There are some restrictions to this program: