DocumentationAPI Reference
DocumentationAPI Reference

Security is at the core of our culture and we have operated from a security-first mentality from day one.

Persona's security philosophy follows three principles:

  • Building defense-in-depth against external threats
  • Protecting against human error
  • Guarding against misuse of insider access

For more information about our security measures, see our Security Statement or contact us.

Domains and IP Addresses

API access IP restrictions

If you are calling our external API with static IP addresses and want an additional layer of security beyond API key based authorization, you can restrict the IPs that Persona accepts requests from. To add IP addresses to the allowlist, visit the API Configuration Section within the Persona dashboard.

Webhook notifications

The full list of IP addresses that webhook notifications may come from is:

Embedded iframe

The Embedded Flow boots an iframe that loads Persona. If you'd like to restrict the allowed domains that are allowed to boot the Embedded Flow, you can configure allowed domains in the Integration Section page within the Persona dashboard.

Resuming pending inquiries

As inquiries contain PII, we restrict when inquiries can be resumed. While newly created inquiries can be accessed by anyone with a link to the inquiry, pending inquiries require a session token to be accessed by the end user. Session tokens can be passed via query string parameters for hosted flows and webviews, and via the client SDKs for embedded, inline, and native flows. Learn more about creating session tokens.

Additionally, pending inquiries are expired after a set time period (24 hours by default), after which the inquiry cannot be accessed or continued at all. Expired inquiries can be resumed via API. Learn more about resuming expired inquiries.

Note that if a user closes a pending inquiry and reopens it in a separate browser window, they will be unable to continue the inquiry without a new session token.