Security

Security From the Hardware On Up

We take security and privacy seriously

Verified software chain

Sandboxed networks

SSL everywhere

At-rest data encryption

Illustration of a diagonally cut in half matrix of dots with varied shades of light green color

Warrant Cananies

Removal of a canary implies that Seam has received one or more legal procedure preventing it from making such statement. Learn more about Warrant Canary (EFF).

FISA

Seam has never received a secret government request to hand over user information.

Wire Tapping

Seam has never installed law enforcement software or equipment in our stack or network.

SSL Keys

Seam has never turned over our SSL keys or our customers' SSL keys to anyone.

Data Handover

Seam has never provided any law enforcement organization a feed of our customers' data.

Account termination

Seam has never terminated a customer because of political pressure.

Encryption modification

Seam has never weakened, compromised, or subverted any encryption at the request of law enforcement or a third party.

Data modification

Seam has never modified customer data at the request of law enforcement or a third party.

Hardware

Image Flashing

All Seam hubs are flashed with our own machines. We do not provide the image directly to a third-party.

Secure Boot

Our operating system verifies itself at boot time to ensure that it has not be tampered with.

Secure Enclave

We store hub credentials in the device’s secure enclave to prevent introspection.

Private/Public Key

The hub generates its own key pair. The private key never leaves the device. The public key is provided to our servers for verifying signatures.

Signed & Verified Updates

All over-the-air updates are signed. The signature is checked when it is received by the device. We use The Update Framework to provide additional guarantees, such as preventing update replay attacks.

Filesystem Signing

(coming soon) -- We sign the hub filesystem to prevent offline tampering of software while your hub is off.

Networking

NAT Traversal

We do not require opening new ports or allowing traffic over non-standard TCP/IP ports.

Network Sandboxing

The Seam Hub comes equipped with its own WiFi and mesh network radios. All devices are sandboxes from your local area network.

Secure Communications

All communications between the Seam Infrastructure and Seam Hubs are encrypted.

Unique Auth Token

Each device receives a unique token for communicating with our cloud API.

API & Services

HTTPS Everywhere

We forces HTTPS for all services using TLS (SSL), including our public website, dashboard, and gateway clients.

Secure Headers

We use HSTS to ensure browsers interact with Seam only over HTTPS and we are working on adding Seam on the HSTS preloaded lists for major browsers.

Webhook Signatures

We sign all webhook request to your servers so that you can verify their authenticity.

API Key Storage

We do not store your Seam API key in clear and have no ability to decrypt it.

Credential Scanning

Seam API credentials are branded and submitted to major credential scanning programs to help prevent leaks from accidental version-control commits.

Infrastructure Isolation*

We can run your Seam Infrastructure separately from other Seam customers. We are also exploring letting you run Seam on your own servers for additional control and isolation. *(upon request)

Vulnerability Scanning

We scan our own software stack for vulnerabilities and perform updates when detected.

SSO & Soles

(coming soon) -- We support Single-Sign-On to give you greater control over who has access to your Seam apps, as well as permissions for finer granularity of resource access.