Liminal Network Security Policy
Security is a basic requirement at Liminal Network. Our architecture and products are
designed from the ground up to ensure your data is protected.
- Multi-factor authentication is required for all users. Whether you're a customer,
a partner, or an employee, you must use MFA to access your account. This is done
after you've verified your email address.
- Your partner credentials are encrypted. Your company's credentials (and only
your company's credentials) are individually unlocked when you log in, and are
automatically locked when your session times out, or you log out. We can't use
your partner or company's credentials on your behalf if you have not logged into
our website, or provided our API with a proper key.
- We do this by generating a "public" and "private" keypair for you on account creation.
The "public" key is stored and used any time Liminal Network needs to send you a
private message. Your private key is encrypted and stored with an expanded version
of the password you use to login.
- Any credential you choose to store at Liminal Network for use, are individually
encrypted with their own separate "session" keys. The session keys are encryped by
your "public" key, only unlockable by your "private" key, which is only unlockable
by you logging in.
- Similarly, API keys also have unique public and private keys, with stored public
and encrypted private key. Your API key decrypts the API's private key, which
allows the API to decrypt partner credentials on your behalf.
- This is the exact same design, and uses almost all of the same code as the secure connection
method that underlies SSL and the modern methods used in TLS. TLS is used to secure "https"
connections we use on the internet, including how you are able to read this if you are
visiting https://www.liminalnetwork.com/security (this page).
- All keys, key storage, data, and data storage, are explicitly overwritten with random data
upon deletion. This may be slower, but helps ensure the security of our platform.
- When requested, we decrypt your "private" key attached to your session, and use that private
key to decrypt your requested messages, or any needed "session" keys for carrier credentials
if you are checking status with our Account dashboard.
- When we prepare an API key at your request, we are encrypting all needed credentials for that
key with individual "sub-session" keys, all of which are stored under a source "session" key.
The source "session" is encrypted using an "expanded" version of the API key, as well as
your "public" key. This allows you to add or remove credentials available to that API key
later in the dashboard, and allows the API to access all needed credentials for any requests
you make. Because each credential has its own "sub-session" key, we should never be in a
situation where more than one credential is decrypted at any one time.
- If you ever "forget" your password, you also lost the method to unlock your
private key. Without your private key, you cannot unlock API keys, or your own messages
we send you. You cannot see what API keys have access to what credentials. In effect, you are
locked out of your own credentials and account. While having an API key may provide you
temporary access to your stored credentials via the API, you will need to explicitly
"migrate" any stored API keys, by providing them back to our Account dashboard after
logging in with your new password.
- We don't store your data. We understand that APIs we access may contain information
that is critical to your business. Whether we are helping to send or receive a
tracking number, document, or other sensitive information, any temporary version
we may have transmitted to you is deleted and overwritten with random data as soon as our
system confirms you have received it.
- Like every tech company, we have metrics. We track what calls are made, where they
initiate and terminate, how long they take, and diagnostics such as failed transactions,
failed logins, and others. We do not track or store the contents of API calls.
You can learn more at https://www.liminalnetwork.com/metrics.
Schedule Demo