Security

At Liminal We Believe that Your Data is Your Data

Security is a basic requirement at Liminal Network. Our architecture and products are designed from the ground up to ensure your data is protected.

Multi-factor authentication is required for all users. Whether you’re a customer, a partner, or an employee, you must use MFA to access your account. This is done after you’ve verified your email address.

Your partner credentials are encrypted. Your company’s credentials (and only your company’s credentials) are individually unlocked when you log in, and are automatically locked when your session times out, or you log out. We can’t use your partner or company’s credentials on your behalf if you have not logged into our website, or provided our API with a proper key.

We do this by generating a “public” and “private” keypair for you on account creation. The “public” key is stored and used any time Liminal Network needs to send you a private message. Your private key is encrypted and stored with an expanded version of the password you use to login.

Any credential you choose to store at Liminal Network for use, are individually encrypted with their own separate “session” keys. The session keys are encryped by your “public” key, only unlockable by your “private” key, which is only unlockable by you logging in.

Similarly, API keys also have unique public and private keys, with stored public and encrypted private key. Your API key decrypts the API’s private key, which allows the API to decrypt partner credentials on your behalf.

This is the exact same design, and uses almost all of the same code as the secure connection method that underlies SSL and the modern methods used in TLS. TLS is used to secure “https” connections we use on the internet, including how you are able to read this if you are visiting https://www.liminalnetwork.com/security (this page).

All keys, key storage, data, and data storage, are explicitly overwritten with random data upon deletion. This may be slower, but helps ensure the security of our platform.

When requested, we decrypt your “private” key attached to your session, and use that private key to decrypt your requested messages, or any needed “session” keys for carrier credentials if you are checking status with our Account dashboard.

When we prepare an API key at your request, we are encrypting all needed credentials for that key with individual “sub-session” keys, all of which are stored under a source “session” key. The source “session” is encrypted using an “expanded” version of the API key, as well as your “public” key. This allows you to add or remove credentials available to that API key later in the dashboard, and allows the API to access all needed credentials for any requests you make. Because each credential has its own “sub-session” key, we should never be in a situation where more than one credential is decrypted at any one time.

If you ever “forget” your password, you also lost the method to unlock your private key. Without your private key, you cannot unlock API keys, or your own messages we send you. You cannot see what API keys have access to what credentials. In effect, you are locked out of your own credentials and account. While having an API key may provide you temporary access to your stored credentials via the API, you will need to explicitly “migrate” any stored API keys, by providing them back to our Account dashboard after logging in with your new password.

We don’t store your data. We understand that APIs we access may contain information that is critical to your business. Whether we are helping to send or receive a tracking number, document, or other sensitive information, any temporary version we may have transmitted to you is deleted and overwritten with random data as soon as our system confirms you have received it.

Like every tech company, we have metrics. We track what calls are made, where they initiate and terminate, how long they take, and diagnostics such as failed transactions, failed logins, and others. We do not track or store the contents of API calls. You can learn more at https://www.liminalnetwork.com/metrics.