Security & Privacy
Have a security/privacy question or disclosure? Contact security@thirdweb.com.
What best practices does thirdweb follow?
- TLS encryption in transit for internal and external communication with our backend and databases.
- Required TLS encryption for third-party vendors.
- Data backups and storage encrypted with AES-256.
- GDPR and CCPA compliance within 90 days.
- Granular data access for all thirdweb employees granted by business need.
- Full audit logging on sensitive data access.
- Security audit from HackerOne.
- Bug bounty program for ethical hackers.
- SOC-2 compliance certification (coming Q2 2023).
What user personally identifiable information (PII) is stored?
thirdweb stores user emails and only accesses them to send automated emails (e.g. after a completed purchase) or in rare cases to proactively reach out to resolve support issues. We don't store any other user PII.
How is credit card data stored?
thirdweb's payment provider(s) are certified to PCI Service Provider Level 1, the highest standard set by the payment card industry to ensure that credit card data is processed, stored or transmitted in a secure environment (source).
This data is never sent through thirdweb's servers.
How is password data stored?
thirdweb doesn't use passwords! Logging into a thirdweb Wallet and our Seller dashboard is done through password-less authentication tied to your email address. For this reason, please keep strong password hygiene and consider adding multi-factor authentication on your email account.
How is buyer identity verification data stored?
Buyer identification verification data (i.e. KYC) is transferred via TLS encrypted connections directly to our payment vendor(s) and uses AES-256 encryption at rest (source). This data is only accessible to employees whose job role may require reviewing KYC.
This data is never sent through thirdweb's servers.
How is seller identity verification data stored?
Seller identity verification data (i.e. KYB) that you upload in the dashboard is uploaded via TLS encrypted connections with a time-limited pre-signed URL to thirdweb's S3 AWS bucket. The S3 bucket is not exposed to the public internet, is encrypted with an AWS KMS-managed key, has all employee interactions logged, and is only accessible to key employees whose job role requires reviewing KYB.
This data is never sent through thirdweb's servers.
How does thirdweb handle GDPR data access or deletion requests?
Contact us at security@thirdweb.com to request your data to be provided or deleted. We will comply with the request within 90 calendar days.
Does thirdweb go through security audits?
Yes. Our architecture and codebase are currently undergoing a full code review audit performed by HackerOne, a leading cybersecurity company.
Does thirdweb offer rewards for responsible disclosures of security vulnerability?
Yes. At the team's discretion, thirdweb may offer monetary bounties for security vulnerabilities that are responsibly disclosed to security@thirdweb.com that are considered novel with high customer impact.
You can find thirdweb’s bug bounty program here.