Entry's mission is to facilitate the shift from a service provider owning user identities, sensitive PII, and credentials to a user-owned digital identity, PII, and credentials. It was designed to put a user in control of their digital identity, to provide transparency and control over how and where their data is used, with an ability to govern access to it.
We follow industry best practices to develop and delivery our product securely.Learn more
We adhere to the highest industry standards for data security using MFA and encryption.Learn more
We challenge our assumptions through third-party collaborations and frameworks.Learn more
Privacy and Data Sharing
Do you store my biometric data, photos, or videos of my face?
No, Entry does not store videos or images from your registration or login session. During the registration, Entry extracts embeddings — anonymized tensor representations of your face. It's non-transferable, and could not be used outside of Entry — and we can use it only to recognize you when you log in.
During the login sessions, Entry extracts embeddings and matches against the original embeddings being used during the registration. Raw images or videos are being immediately deleted once embeddings are being extracted. There is no need to keep and store them.
Who has access to my data?
You are in control of how your data is shared:
- When you update your personal profile, no one has access to the newly added data. Admins of the third-party apps- websites, workspaces, apps- where you are a member of can only see your name, the email they used to invite you, and the general status of your profile ("active", "protected with biometrics", "confirmed vaccination status").
- When someone, such as your employer, needs, for example, get proof of vaccination, they send you a request for it — Entry won't share anything until you accept it even if you are already a member of the workspace. In this example, the only verification status of vaccination information will be shared with an admin, but not the underlying records.
Does Entry share my biometric data with my employer?
Biometric data is never shared with anyone. Learn more about the product architecture here.
Where is my data stored?
All data is stored in encrypted-at-rest databases that are located in our internal network, which protects them from being stolen and decrypted. To further improve our security approach, we don't store sensitive data related to you in one place, so it wouldn't be possible to reconstruct the full picture even in the extremely unlikely event of data leakage.
How do you keep my data safe?
Security is at the core of what we do. To keep your data safe, we do the following:
We follow industry best practices, so security is baked right into our product and regular development processes – including security design reviews, code reviews, unit & integration tests. All engineers are required to know OWASP vulnerabilities and use libraries, frameworks, and mitigations vetted and recommended by the security community.
Data in transit runs entirely over TLS. Data at rest is encrypted with AES 256.
Secrets are stored securely and never in source code. Access to our infrastructure and related services requires SSH and step-up with Entry where and when possible.
Our infrastructure runs on fault-tolerant systems and backups are made daily. We leverage redundant third-party providers to provide 24/7 monitoring and alerting of any downtime.
We conduct bi-annual penetration tests on our application and infrastructure. These audits are conducted by respected independent security firms. Any issues that surfaced are tracked and prioritized to their resolution.
Entry is hosted on AWS, a leading cloud provider that holds rigorous industry security certifications, such as SOC 2 and ISO 27001.
Entry itself is certified under SOC 2 Type 2, HIPAA, as well as being fully compliant with the EU General Data Protection Regulation (GDPR) and California Consumer Protection Act (CCPA).
How Long Do We Retain Your Personal Data?
We retain Personal Data about you for as long as you have an open account with us, 90 days after your last interaction with Entry or as otherwise necessary to provide you Services or as long as you have an open account with us.
In some cases, we retain Personal Data for longer, if doing so is necessary to comply with our legal obligations, resolve disputes or collect fees owed, or is otherwise permitted or required by applicable law, rule, or regulation. Afterward, we retain some information in a depersonalized or aggregated form but not in a way that would identify you personally.
How does Entry prevents spoofing attacks such as deep fakes, replaying video from a smartphone, using masks or images, or virtual web cameras?
Entry is the result of more than two years of deep R&D and research around face recognition, antispoofing for face recognition, and cyber security. The result is a cutting-edge anti-spoofing system that not only reaches the same level of security assurance as hardware sensors but gets better every time you use it. Entry successfully detects and prevents deep fake attacks, replay attacks, virtual web camera attacks, still images, masks and more.
The performance of proprietary security algorithms is continuously being benchmarked against the state-of-the-art industry-standard benchmarks as well as independently verified by the computer vision and the cybersecurity community. Learn more about the technology behind Entry here.
What happens when an employee leaves the company?
When an employee leaves a company, their user account gets de-provision and an employer loses access to their account. The core user account and user data remain under the control of a user.
HIPAA compliance and proof of vaccination
The vaccination records are verified and stored by XIX.ai, Inc. (d.b.a. Entry) on encrypted AWS instances. The verification status of a user is displayed to a Customer via the admin dashboard without the need to be stored by a customer. By doing so, the customer avoids HIPAA compliance issues.
What happens with the facial recognition data? Does it stay on the device or does it get transferred or stored on the service?
The video streams from registration/logins are not stored on the device and are not retained in the cloud. Entry handles only the derivative data (embeddings) that is compatible only with Entry systems.