Skip to main content

Manage Personally Identifiable Information

Nevis manages fields marked as Personally Identifiable Information (PII) as though they contain personal information or personal data. That is, Nevis implements technical and organizational security controls appropriate to the risk associated with that data.

Data is not visible to Nevis employees unless they are acting as a surrogate for you, that is, debugging on your behalf, or have other legitimate business needs to access it.

Also, values are anonymized or removed when we need to hold on to information for statistical analysis, reporting, and capacity planning - none of which require the PII itself.

Hash PII

For increased user privacy needs, you can hash PII before sending it to Authentication Cloud, except for the following cases:

  • PII data within approvals cannot be hashed and has to be plain text. PII data within approvals is stored only for the duration of the approval, including the content of the message.
  • The name of the authenticator sent directly from the phone can contain PII data, such as the first name of a user.

For hashing PII, we recommend using the following scheme (pseudo code):

Prefix    = "u_"               // static prefix to make sure the Result starts with A-Z / a-z
Secret = "my-secret" // static secret that never changes
Data = "[email protected]" // username with PII to hash

Result = Prefix + BASE64( HMAC( "SHA-256", Secret, Data ), urlsafe: True, noPadding: True )

The resulting hashed PII looks something like this:

"u_zz6raA4lSDrnOyWZdf_t1FueEcHpLACLGHsg7oCmFqo"