Skip to main content
MYID Self Verify
Platform Manage Protect Autopilot Analytics Case Studies Compliance Support
Support Book a Demo
Security

Security Disclosure

Current product controls, evidence boundaries, deployment responsibilities, and the way to report a concern.

security@ext.myidselfverify.com

Last reviewed
July 18, 2026
Product operator
Software Productivity Strategists, Inc.
Security reports
security@ext.myidselfverify.com
Scope matters. This public marketing website is hosted separately from the MYID application platform. Product deployment controls, providers, regions, retention, and assurance evidence vary by customer. Infrastructure provider certifications do not automatically certify MYID or SPS.

Contents

  1. Architecture
  2. Tenant controls
  3. Identity and session security
  4. Mobile security
  5. Data and secrets
  6. Audit evidence
  7. Performance telemetry
  8. Connected providers
  9. Development and release
  10. Operations and resilience
  11. Customer responsibilities
  12. Security incidents
  13. Compliance and assurance
  14. Responsible disclosure

1. Architecture

MYID includes a Flutter mobile application, a Java service and API layer, a protected administration console, a PostgreSQL data layer for configured production use, and adapters for identity, directory, security, training, messaging, and mobile notification providers.

The mobile client is not intended to contain provider client secrets, service account keys, directory bind credentials, QRadar tokens, messaging secrets, or cloud administration credentials. Provider calls that require such secrets are performed by the server or approved infrastructure.

2. Tenant controls

Company configuration identifies the tenant, enabled modules, active provider, branding, support route, and integration settings. The mobile app should show only functions the company enables and the server can support.

Tenant scoped audit and performance contracts derive the company from a signed token rather than accepting a caller selected company value. Direct customer credential issuance, expiration, and revocation must be operationally provisioned before a customer receives direct API access. Until then, approved tenant exports are provided through the platform team.

3. Identity and session security

Server authentication and authorization use signed session or access tokens, tenant context, role or scope checks, and route protection. Refresh credentials and access credentials have different purposes and should not be accepted interchangeably. Revoked sessions should be rejected by protected APIs.

Administrator access is designed for enterprise identity protection and role control. A platform administrator account must not be supplied to a customer merely to provide tenant data.

4. Mobile security

Protected local storage is used for eligible company and session state. Biometric return uses the operating system authentication service and does not send a face or fingerprint template to MYID. Sensitive actions can require a new biometric or OTP step.

The app validates company bootstrap data, protects signed in routes, scopes caches by company and user, and can route notifications to protected screens after authentication. Profile images can use a local cache and a separate background refresh path.

5. Data and secrets

Production deployments should use encrypted network transport, protected secret references, least privilege provider identities, restricted database roles, encrypted backups, and separated environments. The exact implementation must be verified for each customer environment.

Passwords, proposed passwords, OTP values, recovery codes, authorization values, tokens, cookies, API keys, client secrets, private keys, push tokens, and similar authentication material must not be stored in ordinary logs or public support messages.

6. W7 audit evidence

MYID structures API and business audit evidence around Who, What, When, Where, Why, How, and Outcome. Records can include tenant, actor, method, route, status, duration, correlation, capture mode, safely captured values, length, and integrity data.

A record must say whether a request or response body was complete, partial, summarized, or unavailable. Exact length and integrity data are recorded only when all bytes were observed. Binary, large, unknown length, or connector specific payloads can have limited capture.

Shared web client integrations can capture outbound response evidence. A generic client filter cannot always read the final serialized outbound request body without changing the request. Non web client integrations such as LDAP, SMTP, Firebase, and process based adapters require dedicated feature evidence. The platform must not claim universal exact wire capture until each adapter provides it.

Audit events are stored in the configured platform data layer. Immutable storage, cryptographic record chaining, customer credential lifecycle, scheduled archival, and automated deletion are deployment controls that must be separately provisioned where required.

7. Performance telemetry

Mobile telemetry can collect bounded samples for API duration, status, normalized operation, frame build time, frame raster time, and jank. It is designed to exclude credentials, request bodies, device identifiers, and user entered values.

Protected administration endpoints can provide current run tenant summaries with counts, failure rate, average, percentiles, maximum, frame timing, and normalized operation breakdowns. Durable history across server restarts requires an authenticated Prometheus collection identity and a configured monitoring store.

Collection limits, normalized tags, bounded tenant buffers, and a kill switch reduce the risk that telemetry affects the user operation it measures.

8. Connected providers

Every provider has its own permissions, availability, security, data, timeout, and consistency behavior. MYID capability flags do not replace a live readiness test. A provider authorization failure must be attributed to that provider and must not be presented as failure of an unrelated identity action.

MYID should not expose company wide security incidents to an individual when ownership cannot be established. A pending or missing provider result must not be converted into a final healthy result.

9. Development and release

The release process can include source review, unit and integration tests, static analysis, platform builds, dependency review, secret scanning, representative smoke tests, performance tests, backup, rollback material, and documented production gates.

A passing build does not prove production readiness. Provider permissions, real device behavior, notification delivery, customer data mapping, observability, legal approval, and rollback must also be validated. Unresolved findings should keep a release out of customer production.

10. Operations and resilience

Recovery time, recovery point, availability, support time, monitoring coverage, retention, and notification commitments apply only when documented for the specific deployment or signed agreement. This public page does not promise a universal uptime or recovery objective.

Customers should maintain an independent helpdesk and identity recovery path. A mobile self service product must not become the only way to recover from the failure of that same product or a connected provider.

11. Customer responsibilities

Customers must test every enabled action in a representative environment, provide lawful instructions and notices, control administrator and provider permissions, maintain secret and network security, verify audit and retention needs, monitor results, train support teams, preserve a rollback path, and obtain their own legal and compliance approval.

Customers must disable an action that is not fully configured or behaves unexpectedly. Security and identity actions should be verified against the authoritative provider when a result is delayed or uncertain.

12. Security incidents

SPS investigates reported security concerns, takes proportionate containment and remediation action, preserves relevant evidence, and communicates with affected customers as required by the signed agreement and applicable law. A public page does not replace a customer incident response plan.

Report a suspected MYID vulnerability or unauthorized access to security@ext.myidselfverify.com. Do not include credentials or access data you do not own.

13. Compliance and assurance

MYID supports security programs informed by NIST SP 800 53 and Virginia SEC530, with identity, authentication, audit, privacy, and response capabilities that help customers address applicable requirements under HIPAA, PCI DSS, GLBA, FERPA, CJIS, and privacy laws.

Review the Compliance page for framework coverage, control evidence, and official sources.

14. Responsible disclosure

Act in good faith, respect privacy, avoid disruption, use only accounts and data you are authorized to use, and do not publicly disclose a suspected issue before SPS has a reasonable opportunity to investigate. Written authorization is required before testing production security.

Send the affected service, safe reproduction steps, observed result, potential impact, and contact information to security@ext.myidselfverify.com. SPS does not promise a reward or safe harbor beyond what is stated in a separate written authorization.

Compliance Status Privacy Policy Support Center
MYID Self Verify

Mobile identity operations, user guided security response, tenant controls, truthful synchronization, and measurable performance around the systems your organization already owns.

mail public

Product

  • Platform
  • Manage
  • Protect
  • Autopilot
  • Analytics
  • Mobile App
  • Enterprise MFA
  • IBM Verify
  • Pricing

Trust

  • Security
  • Compliance
  • Data Processing
  • Subprocessors
  • Accessibility
  • Legal Center

Support

  • Support Center
  • Employee Guide
  • Administrator Guide
  • How Data Is Used
  • Privacy Request
  • Account Deletion
  • Contact Us

Company

  • Case Studies
  • SPS, Inc.
  • General Contact
  • Security Contact
  • Privacy Contact
© 2026 Software Productivity Strategists, Inc. MYID Self Verify is an SPS product.
Privacy Terms Cookies Cookie choices
Your analytics choice

We use optional first party analytics to understand when people visit, where they came from, which pages they use, and the general device category. We do not use advertising trackers or sell this information. Read our Cookie Notice.