With Layer, all communication to and from our servers is encrypted using Transport Layer Security (TLS) with both server- and client-side authentication for devices. We authenticate client devices by pinning PKCS #12 certificates to them, and only accepting connections from devices that provide valid certificates as part of the TLS handshake.
Once a device connects, we verify that the user of the device has been authenticated by you. We do this by requiring the client to respond to a challenge from our servers with a user token that is signed by your application backend. We do not accept requests from users who have not been authenticated.
Our servers reside in data centers that have completed ISO 27001, SSAE-16, SOC 1, SOC 2, and SOC 3 certifications. All data written to disk are encrypted on the fly and then transmitted and stored in encrypted form. And since Layer messages can carry any kind of data, you are always free to additionally encrypt messages end-to-end before sending them.
Only a few key employees have access to our production servers. We have strict privacy, security, and operations policies that apply to all our employees, and comply with the U.S.-EU Safe Harbor Framework.