Storing identifiers

It’s critical to properly handle identifiers returned by BridgeBridge - The client-side component that your users will interact with in order to link their payroll accounts to Citadel and allow you to access their accounts via the Citadel API. and direct API endpoints.

Citadel's identifiers let you associate API and Provider events with your requests, and will help our support team resolve your support issues faster.

❗️

Make sure access_tokenaccess_token - A private token unique to a single Link. Used to access Link data and initiate any actions using the same Link is never exposed on the client-side. You should store these tokens securely on the backend and associate them with users of your application.

🚧

User can create multiple access_tokenaccess_token - A private token unique to a single Link. Used to access Link data and initiate any actions using the same Link if they have accounts with multiple payroll providers.

Security overview

Citadel’s SOC 2 Type II certification was performed by Dansa D’Arata Soucia LLP, facilitated by Vanta, and our compliance began May 1st, 2021. A copy of Citadel ID’s SOC 2 Type II report can be requested under NDA.

On top of the standard practices, we use an additional layer of encryption in all of our systems for sensitive data and only allow access on a need-to-know basis.

We have strict procedures in place for who can gain access or be approved for access, and we log everything along the way. We can see who has access to what data and when, who approved the request, and what the outcome was. Except in exceptional cases where access is truly required, no one can access data. Data access is granted for 24 hours at a time and is revoked automatically.

Routine testing

  • Citadel is SOC 2 Type II compliant and we use Vanta, a leading SOC 2 continuous monitoring and compliance software, to keep an eye on and track all of our controls
  • Citadel regularly undergoes both internal and external network penetration tests as well as third-party code reviews

Access controls

  • Role-based access controls are enforced at each layer of infrastructure
  • Multi-factor authentication is required for access to Citadel infrastructure
  • All application and user access logs are stored centrally and monitored

Did this page help you?