Security

Notify.gov is built for the needs of government agencies with fundamental system security processes in place to:

• protect user data
• keep systems secure
• manage risks around information

Notify.gov operates under a full three-year Authority-to-Operate (ATO). This federal security authorization process leverages security controls provided by National Institute of Standards and Technology (NIST).

Our infrastructure runs on cloud.gov and utilizes several services through Amazon Web Services (AWS), including AWS SNS for sending SMS messages.

For more information about the Notify.gov infrastructure, contact us at notify-support@gsa.gov.

Data

On Notify.gov, data is encrypted both in transit and at rest. To send a message, agencies upload a spreadsheet of phone numbers and other necessary data from their existing data management system.

Notify.gov is not a system of record, so it does not have a System of Records Notice (SORN). Agencies are responsible for managing their data outside of Notify.gov.

Data retention

Any data uploads that have recipient data are held for seven calendar days; personally identifiable information (PII) is never stored in Notify’s database.

Multi-Factor Authentication

Notify.gov uses Login.gov for enhanced security. Login.gov is an extra layer of security created by the government that uses multi-factor authentication and stronger passwords to protect your account.

To access Notify.gov, users will use a Login.gov account associated with their agency (.gov) email with one of the multi-factor authentication methods offered through Login.gov.