legal Security FAQ
Launch Nametag Get help

Security FAQ

Updated August 2024

About Nametag

Nametag provides end-to-end solutions for secure account recovery and helpdesk verification by matching government-issued IDs to selfies, ensuring the identities of employees and customers are verified accurately and securing access to their accounts. We are committed to responsible, transparent technology use, managing data, and developing AI models to high ethical standards.

Frequently Asked Questions

Infrastructure Security

How does Nametag ensure the security of its infrastructure?

Nametag’s service is hosted on infrastructure operated by third-party cloud providers. This infrastructure provides secure deployment of services, secure storage of data with end user privacy safeguards, secure communications between services, secure and private communication with customers over the internet, and safe operation by administrators. The security infrastructure is designed in progressive layers, starting from the physical security of data centers to the security of the hardware and software, and finally, the technical constraints and processes in place to support operational security.

Data Encryption

How does Nametag ensure data is encrypted?

All data are encrypted both at rest and in transit. Specifically, data are protected by modern encryption:

  • At rest on an end-user’s phone in our app (used for sending and receiving data for end-user enrollment, verification, and sharing, not for permanent storage).
  • Over the public internet from an end-user’s phone to Nametag’s servers.
  • At rest in cloud storage (databases and object storage buckets).
  • From Nametag services to your company when an end-user consents to share their information with you.

Security Vulnerability Prevention

How does Nametag prevent security vulnerabilities?

Nametag takes proactive steps to ensure the security of our product architecture. We have implemented numerous measures to make vulnerabilities more difficult to introduce, and periodically review and refresh these measures to stay ahead of bad actors. These measures include:

  • Identity and privilege level threading throughout the application, all the way to the datastore, which enforces access rules in a testable, auditable place.
  • A peer-code review process that serves as a backstop against intentional or accidental vulnerabilities.
  • Automated static analysis tools that alert us to potential security problems in the code, with checks that must pass for code deployment.
  • Automated tools that monitor for security vulnerabilities in third-party code dependencies and automatically propose patch updates.
  • Cloud providers’ mature vulnerability management practice for patching known vulnerabilities at the operating system, virtualization, and hardware layers.
  • Dividing systems into separate environments for development, staging, and production, each with independent network access control, service account credentials, and secrets.

Authorizing Access

How does Nametag minimize the risk of data exposure?

Nametag adheres to the principle of least privilege. Employees are only authorized to access data they need to do their job: all engineers have access to their development environments, fewer engineers have access to the staging environment, and far fewer have access to the production environment. All internal systems require employees to authenticate with unique user accounts and hardware-backed multi-factor authentication.

Employee Training

How are Nametag employees trained in security?

All Nametag employees complete mandatory recurrent security training. This includes training on general resistance to online threats, social engineering attacks, and protecting the identities and confidential information of our clients. Although we do not handle protected health information (PHI), all employees are trained to identify and report any incidental contact with it.

Logging

Does Nametag collect logs from its servers?

Yes, Nametag collects logs from all our servers. We routinely examine these logs for suspicious activity and operational issues. Logs are scrubbed of personal data and operational secrets before archiving.

Business Continuity

How does Nametag ensure business continuity?

All of the data that Nametag stores for you is regularly backed up. We regularly simulate the backup and recovery process to ensure it works smoothly. Copies of backups are stored in multiple data centers in different regions and are encrypted in transit and at rest.

Insurance Coverage

What is Nametag’s insurance coverage?

Nametag maintains extensive insurance coverage from top-tier providers, each with a minimum “A” rating and belonging to size category “VIII” or higher. This ensures our insurance types and limits substantially exceed the potential risks associated with our average contract sizes, offering robust protection to our customers from potential losses. Evidence of our comprehensive insurance portfolio, including workers’ compensation, commercial general liability, commercial auto liability, umbrella and excess liability, professional liability (E&O), and cyber liability policies, is accessible through our Trust Center.

Incident Response

How does Nametag respond to security incidents?

Nametag has a dedicated Incident Response Team (IRT) that monitors, identifies, and responds to security incidents 24/7. We follow a structured incident response plan that includes identification, containment, eradication, recovery, and post-incident analysis to ensure minimal impact and quick recovery.

Compliance and Certifications

What compliance standards and certifications does Nametag adhere to?

Nametag complies with various industry standards such as SOC 2 Type II, HIPAA, GDPR, and CCPA/CPRA. These certifications demonstrate our commitment to maintaining the highest standards of security and privacy.

Third-Party Vendor Management

How does Nametag ensure the security of third-party vendors?

Nametag conducts thorough due diligence and continuous monitoring of all third-party vendors. We ensure they meet our stringent security requirements and comply with relevant security standards and best practices.

Additional Information

For more information on how Nametag handles user data and personal information, please refer to:

For any other questions, please contact us at security@nametag.co.