People and infrastructure  you can trust

The enterprise-grade embedded finance platform.

Unit is certified SOC 2 Type II and PCI DSS Level 1 compliant.
We deploy best practices and tools to maintain security on all levels.
Trusted by leading brands, public companies, and startups.

Security Practices

Compliance
Infrastructure
Product
Availability

Contact our team

If you'd like to learn more about our security measures or obtain a copy of our security policies, reports, or documents, please contact our team at security@unit.co

01

Security practices

PCI DSS Validated Logo

Authentication & Authorization

Unit is PCI-DSS Level 1 certified. Payment Card Industry Data Security Standard (PCI DSS) is the global standard for protecting sensitive payment card data, and this is the highest level of compliance in the payments industry and ensures alignment with the most rigorous industry best practices. We are also dedicated to assisting our customers to attain PCI compliance whenever required.

Policies & Governance

Unit policies and procedures are aligned with best practices for securing data, infrastructure, and operations. The policies include Information Security, Third-Party Risk Management, Business Continuity, Incident Response, and End-User Data and Privacy. The governance model outlines security decision-making roles. Policies are reviewed regularly and approved annually by management and the board.

SOC 2 Type II Compliant

Unit is SOC 2 Type II compliant. Unit’s systems, processes, compliance frameworks, and controls are audited on an annual basis.

Data Protection

Unit follows privacy best practices and complies with all applicable privacy laws including Gramm-Leach-Bliley Act (GLBA). For more information, please review our Privacy Policy.

Risk Assessments

Unit conducts regular risk assessments to gain an accurate and thorough understanding of the potential risks to security, availability, and privacy in our products and services.

Background checks

Unit conducts background checks on all applicants selected for full-time employment in compliance with local regulations.

Third-Party Risk Management

Unit implements board-governed third-party management policies and utilizes a third-party management tool to review and assess all our critical vendors. This process assists in establishing standards for information security and service delivery from vendors.

Training

All employees at Unit are required to complete annual security training based on their roles. Additionally, the Information Security team engages with employees periodically through internal email campaigns and gamification techniques.

02

Infrastructure security

Cloud Infrastructure  

Unit applications and solutions are fully built in the AWS cloud environment. We prioritize security and compliance with regulatory requirements by utilizing a combination of native AWS and third-party tools. These tools continuously monitor and evaluate our systems to maintain a secure environment and uphold best security practices.

Data Encryption

Unit uses strong encryption across all data, both at rest and in transit. We use Advanced Encryption Standard (AES) 256-GCM, the most advanced and secure method available, to encrypt all sensitive data at rest. We use Transport Layer Security (TLS) 1.2 or higher for all data in transit, which is the industry standard.

Segmentation

Unit’s AWS environments are thoroughly segmented into different accounts and Virtual Private Clouds (VPCs). We utilize AWS Security Groups to filter inbound traffic. We ensure that specific workloads are allocated to dedicated resources to meet the specific needs of our different tenants. We use namespace Isolation by separate namespaces for each service to isolate resources like pods, services, and secrets.We have implemented robust, separated Continuous Integration (CI) and Continuous Deployment (CD) pipelines, which include code reviews, automated end-to-end (e2e), security testing and branch protection rules.

Cloud Events & Detection

Unit collects cloud events and detections from various sources such as CloudTrail logs. It also integrates with AWS's native threat detection capabilities to provide correlation and context with GuardDuty and 3rd party security platforms for near real-time ingestion of threat detection findings. In addition, Unit utilizes runtime sensors with eBPF-based technology to correlate runtime signals with cloud events for efficient incident response.

Access Control

Unit has implemented strict password policies to ensure the safety and security of all critical services. Access to these services is granted only through Single Sign-On (SSO) or multi-factor authentication, wherever available. Role-Based Access Control (RBAC) is maintained across all internal and external systems, ensuring that access is provided only on a need-to-know basis. Furthermore, the information security team conducts periodic User Access Reviews (UAR) to review access authorization and permissions of internal and external stakeholders. This ensures that access control is continually monitored and improved to prevent unauthorized access to sensitive information.

Endpoint Protection & Remote Access

Our remote access is secured through an Enterprise VPN Service. Additionally, our endpoints are protected by EDR (Endpoint Detection and Response), which includes a leading endpoint protection platform, managed services, and 24/7 monitoring and investigation of every security alert.

03

Product security

API Token Scopes

Each API token at Unit is limited in scope, ensuring that it can access only certain resources, and can perform only certain operations on them (read/write).

API Token Expiration

API tokens are set to automatically expire in one year. Unit lets you customize expiration dates to enforce stricter security policies in your organization.

Customer Tokens

Customer tokens restrict API resources to only what is enabled for a specific customer and limit token exposure to individual customers. They include built-in Two Factor Authentication (OTP) and customizable expiry that your systems can rely on.

SSO & Multi-Factor Authentication

The Unit Dashboard supports the industry-standard SAML 2.0 protocol, to help you authenticate your users using an external identity provider. Furthermore, we incorporate multi-factor authentication to provide you with an added layer of security.

Roles & Permissions

The Unit Dashboard includes built-in roles and permissions for your team members. This ensures that information access is granted strictly on a need-to-know basis, in accordance with the least privilege principle.

Sensitive Data Bypass

Display sensitive customer data, without any of it passing through your systems, offloading the need for PCI compliance to share it.

Sensitive Data Restriction & PCI Compliance

Sensitive data, such as full card numbers, are not available to be displayed in the Dashboard unless your company is PCI-certified. In the case that your organization is directly handling credit card data, it is highly probable that you will need to follow PCI-DSS standards, which require an annual validation process.

There are four different levels of compliance that depend on the volume of transactions processed annually. Only companies that process over 6 million transactions annually are required to comply with Level 1, which requires an onsite assessment conducted by a QSA.

For Levels 2-4, there are a few types of Self Assessment Questionnaires (SAQ) depending on several factors. For more information on the requirements, please visit the PCI website. If you need further guidance, feel free to contact us and we will do our best to walk you through the requirements.

Audit Logs & Monitoring

Unit collects audit trails for write operations to ensure high-level transparency and security standards. Our detailed audit logs help identify abnormalities, intrusions, or suspicious activity by providing oversight teams with a clear and comprehensive record of all activities.

The designated audit log offers a searchable database of actions, each containing structured fields such as the time of action, performing user, associated bank or organization, action type, and changes made. While the audit log is still being expanded to include all actions, our operational database stores a history of updates, allowing data analysts to generate comprehensive reports for external audits.

This ensures that we can provide the required data either through self-service solutions or ad-hoc requests.

04

Availability

Redundancy

Unit ensures active-active availability, improving recovery times and providing access to second availability zones.

Backups

We backup all production data and all backups are geo-replicate backups within the same judicial data boundary.

Monitoring

We continuously monitor the platform and post real-time updates to our public status page.

Business Continuity

We have documented and implemented a business continuity plan that we activate and follow in the event of disruptions. We test our business continuity plan at least once annually, using different real world scenarios.

Reporting a security bug

Unit encourages everyone to follow responsible disclosure procedures when reporting security issues that surround our products, services, websites, or infrastructure. We’re committed to engaging with anyone reporting security vulnerabilities in a positive, professional, mutually beneficial manner that protects our customers. To report a security bug, please contact us at security@unit.co 

Talk to an expert to see a demo and estimate your revenue.

Solutions

Products

Platform

Developers

Company

Resources

Guides

Get the latest
Thank you! Your submission has been received!
Something went wrong while submitting the form.

Find us on social

Certified and tested

PCI DSS Validated Logo
AICPA SOC Logo