Security

Just how secure is Parsec?

At Parsec, high security is as important as near-zero latency. We want you to experience a seamless connection and feel safe while you do so. To show that we are committed to this promise, we are proud to announce that we are SOC2 Type 1 certified!

We also value transparency, and know that information security thrives this way. Here we dive into some of the steps we take to ensure that your experience and data are safe and secure.

How does Parsec keep my data secure?

Your peer-to-peer stream never passes through the Parsec infrastructure. After our backend authenticates and authorizes a connection between your peers, your data flows directly between those peers. We cannot access it, and the data is encrypted.

And now for some tech speak: the data shared between your peers is encrypted using industry-standard raw AES-GCM. AES (128-bit keys) encrypts the data, and GCM is used for integrity checks.

What kind of data encryption does Parsec use?

Our system uses IP addresses, usernames, and email addresses to broker authentication and authorization. (This data is also included in your team’s security audit logs, which are accessible via the Parsec for Teams admin panel and API). Data is encrypted at rest using industry-standard AES-256 encryption and encrypted in transit using a minimum of TLSv1.2 with carefully audited cipher suites.

What are Parsec’s security certifications?

As of February 15 2023, we are happy to announce that we have achieved SOC 2 Type 1 certification! A copy of our report is available after signing an MNDA with Unity. Our infrastructure also complies with AWS Foundational Security Best Practices and CIS AWS Foundations Benchmark.

What additional product security measures does Parsec take?

External security testing

We nurture a healthy security bug bounty program, encouraging the best security researcher talent on the internet to continuously test our products and identify problem areas. To level up our testing, we hire an accredited pentesting company to penetration test our product at least once a year.

In addition to these external tests, we make it easy for our user base to report any security issues by providing an easy contact form for our security team on our site as well as an active social media presence.

Infrastructure security

The smaller the attack surface on our infrastructure, the easier it is to guard. We back that up with systems for security defense, detection, and visibility.

Secure software development lifecycle

We embed security into each step of our development lifecycle. At the design step, we use Security Reviews, Rapid Risk Assessments, Threat Models, and Abuser Stories (user stories to prevent hacking). These all help secure our designs from the beginning.

During the implementation phases, we use industry leading systems to scan code for security vulnerabilities. On top of that, we use security platforms to detect and protect our software from possible supply-chain attacks or third-party vulnerabilities in any dependencies.

After a feature is complete, our security team performs yet another security test and review. After this, we introduce the new feature to our pentesting program to get additional security test coverage.