Descope was founded by a team that possesses extensive security experience. Our founders and executives have led product development at cyber security companies such as Palo Alto Networks, Demisto, McAfee, eBay, Yahoo and many more. Equipped with this knowledge we built Descope to provide solutions that would not compromise security.
We are counting on this experience particularly because developers who use our product have elected to use Descope as the front door to their application and as such they put their trust in us.
In this document we explain the main measures we take to ensure our product is secure and also, since we interact with our customers’ users, how we answer privacy concerns and regulations with the ultimate goals of keeping you and your end users safe.
Product Security
In today’s world where adversaries perform sophisticated attacks on a daily basis, our customers need to defend themselves. This is especially true where their digital front door is concerned - the sign-in and log-in processes. However, security almost always comes with a penalty - increasing security means that the product’s usability and end users’ experience is often impaired.
At Descope we aim to help you strike the correct balance between security and ease of use, and we do so in several ways:
No Passwords. We have all grown accustomed to passwords. In fact we use them without realizing that as far as authentication goes they are the worst of all worlds: they are both insecure and the user experience (think of the last time you changed your phone or forgot your bank account’s password) is horrific. At Descope all of the authentication methods we provide are simple to use and are more secure than using passwords.
Security Built-in. Built by security experts, we always bake security into every part of the product. For example, we built the administration console, which is where, among other things, you manage your users with the highest security measures. We provide protection against SQL injection, we configure Xframe to prevent click-jacking attacks, we use CORS (cross-origin resource sharing) to control access, we utilize security headers, HSTS (HTTP Strict Transport Security) to prevent man in the middle attacks. We also use TLS encryption everywhere to make sure that all communications are secure. We continuously monitor new threats and protect against all known threats such as those defined in the OWASP Top 10
Make Informed Decisions. Wherever possible we allow you to make informed decisions regarding the balance of security and ease of use for your end users. Our defaults strike the balance for you but you can always change parameters that will increase or decrease the security level based on your intimate knowledge of your application and users. For example, should you choose to use magic links via email, you can decide to increase the expiration time of the magic link. This will make the experience better for users who take time to check their mail for the link but may also increase the chances of a bad actor using the link.
Secure and Usable Defaults. Descope comes pre-configured, making it first and foremost very easy to implement. All defaults that we have chosen for our customers are secure and usable, meaning that end users will have a great experience while keeping your application secure. Customers have the flexibility to change the defaults and strike the right balance of security and usability that best fits their needs.
Secure Development
Everything we do when we develop the Descope product is scrutinized with the highest security practices in mind. At our core, we have an inherent culture of secure development, testing and review. In addition, we have strict internal security policies that all developers comply with. The policies cover the entire development lifecycle and every line of code is reviewed, validated and tested with security in mind.
We also continuously monitor the security of the 3rd party components that we use and where needed, we upgrade or patch the components as soon as a vulnerability or other security concern becomes known, all while keeping the integrity and stability of our product.
We deploy specific security tools that help test the security of our products as they are being developed but we do not rest there. We also subject our product to external security testing and change the external security testers often so that people with different techniques and different tools subject our product to penetration testing and security reviews.
Company Security
The trust our customers put in us means also that we must run our business without security risks. To do this, first and foremost, we vet our employees. This means that employee backgrounds are screened and we employ top talent in all of the company functions.
We also make sure that our facilities are secure with proper physical security and all of our computers and networks are secured by industry leading products and procedures.
We strive to use NO passwords inside our company of course and all 3rd party tools that we use are vetted and configured by us with the highest security possible for our use cases.
All of our digital assets (be they employee laptops or cloud based servers) are centrally managed and subject to a strict security policy (including the use of endpoint security, firewalls and many other measures) and we go above and beyond to make sure that assets are always up to date and monitored.
We continuously assess any risk to the company and have a committee that meets quarterly to make sure that risks are promptly and properly dealt with.
Data Residency and Privacy
Descope keeps all data in multiple regions in the United States and EU. EU customers can choose to store and process their user information in the EU region. We also provide measures to minimize the latency for customers outside of these regions. Please contact us at info@descope.com with any questions.
Regarding privacy we have taken all necessary measures to ensure that privacy is maintained in compliance with privacy rules such as GDPR and The California Consumer Privacy Act (CCPA). For further information see our Privacy Policy posted on our website.
Regulatory Compliance
All procedures, policies, and operations at Descope were designed from day one to comply with the strictest regulations. We are SOC 2 Type 2 and ISO 27001 certified, and are HIPAA and GDPR compliant.
Disaster Recovery
Descope has a detailed Disaster Recovery Plan (DRP) in place to answer any disaster resulting from natural disasters, political disturbances, human-made disasters, external threats, internal malicious activities. The plan is tested regularly and relevant personnel are trained to respond in case of a disaster.
Security Issues and Disclosure
Please see our Responsible Security Disclosure Program for more information.