Security | Bitwage

Our security policy may have been provided to you in a non-english language text as a convenience. In the case of a conflict, inconsistency or interpretation issue between this text and our English language versions of our terms and conditions or privacy policy, the English text shall control.

Security Policy

Last modified in October 5th, 2022

The Bitwage security policy addresses concepts such as threats, threat agents, controls, and uncontrolled risks that involve its business and it is designed to prevent potential security issues that may affect the company and/or its customers. The policy is regularly reviewed to make sure its software, systems, and practices are in full-compliance with it.

Bitwage has a complete internal information security program that is designed to align with ISO and NIST standards as well as industry best practices for financial service organizations.

Servers

Bitwage production servers and data are secured for confidentiality and integrity using full-disk encryption and backups. Servers use intrusion detection software and various cryptographic techniques to detect filesystem tampering. Essential services are segregated by function to protect any possible vulnerabilities from exposing another unrelated service.

No customer funds are stored with Bitwage for longer than the time it takes to fulfill a payroll order. If funds must be stored for longer than a transaction due to an unforeseen issue, they are held offline in an isolated air-gapped machine with paper backups to protect the funds and to discourage malicious targeting of our servers.

Application

Personal information (see Privacy Policy) is encrypted using enterprise grade and industry standard AES 256 encryption. We protect against various attacks such as SQL injection and CSRF attacks on form submissions. We protect against brute force attacks with proactive techniques such as rate limiting, account locks, and ip-blacklisting. We have a session time-out after a short time period of inactivity to protect against an attacker accessing an unattended account.

Authentication

We use enterprise grade and industry standard security techniques for the transmission and use of user passwords. We check for strong passwords (minimum length, sufficient entropy) on account creation and password reset. Further, we require Two Factor Authentication via SMS, Google, or Bitwage Authenticator to login and for sensitive data inputs while logged in.

Browser

The Bitwage site runs over encrypted TLS (https). Bitwage uses the following browser security features:

X-Frame-Options: Protects against clickjacking by preventing the embedding of the site into an HTML frame.
X-XSS-Protection: Blocks XSS attacks.
Strict-Transport-Security: Reduces impact of bugs leaking session data through external links and defends against Man-in-the-Middle attacks.
HTTPOnly Cookies: Prevents client-side scripts from retrieving cookie values and is a defense against XSS attacks.
Secure Cookies: Prevents cookies from being observed as plain text while being sent over the network.
Content Security Policy: Prevents cross site scripting and cross-site injections.

Organization

Bitwage employees must pass a background check administered by our AML specialist and Compliance Officer before being hired. We use unique passwords for every third-party service, and two factor authentication with each available third party service. Employees are required to use strong passwords, screen locking, and encrypted hard drives. Further, all employees must perform annual information security awareness training to ensure they are aware of the most current trends and techniques in security.

Email

We will not ask for your account information (email and password) via email. If you receive such an email you may be a target of fraud. Please report suspicious-looking emails to support@bitwage.com.