#what kind security does convex have? who issued the soc 2?

what kind security does convex have? who issued the soc 2?

Hi @orchid roost. I'm kapa.ai, your friendly support bot. I will try to answer your question by searching through the knowledge base. :wave:

Convex Security Overview

Security Features

Based on the knowledge sources, here's what Convex offers in terms of security:

1. Data Encryption: All user data in Convex is encrypted at rest. [Status and Guarantees]

2. Data Durability: Database state is replicated across multiple physical availability zones, with regular backups stored at 99.999999999% (11 9's) durability. [Status and Guarantees]

3. Authentication & Authorization:

   • Convex provides a built-in authentication framework that verifies user identities via OIDC token validation on the server side. [Discord thread]
   • Every Convex function (queries, mutations, actions) has access to a ctx.auth object to validate user identity before processing data. [Backend Security]
   • Authorization checks (including row-level security) can be implemented directly in TypeScript server functions. [Row Level Security]

4. XSS Protection: When using Convex Auth with React, standard React protections guard against typical XSS attacks. Refresh token reuse detection is also built in. [Auth Security]

5. Vulnerability Disclosure: Convex has a security contact at [email protected] for reporting security bugs. [Contact Us]

SOC 2

The knowledge sources mention that Convex was pursuing SOC 2 compliance using Vanta for the audit process. However, the documents do not explicitly state who ultimately issued the SOC 2 certification or confirm its completion. For the most up-to-date information on SOC 2 status and the issuing auditor, I'd recommend checking convex.dev/security or reaching out to [email protected].

Note: you can ask me a follow up question by @ mentioning me again :speech_balloon: