Learn more about Authgear

Security

We employ security controls to physical to application levels to ensure our customers can focus on their apps, while the authentication parts and infrastructure behind are taken care by us.

Security Assessments and Compliance

Data Centers
Authgear’s physical infrastructure is hosted and managed within Google’s secure data centers around the globe and utilizes the Google Cloud Platform (GCP) technology. Independent and thorough assessments on security, privacy and compliance controls are regularly conducted by Google to ensure they are up to industry standards. In fact, Google's data center operations have been accredited under:

  • ISO 27001
  • ISO/IEC 27017
  • ISO/IEC 27018
  • SOC 1/2/3
  • PCI DSS
  • CSA STAR

On the other hand, Stripe, a PCI DSS Level 1 compliant payment gateway, is our choice for securing and processing card payments.

Payment Card Industry Data Security Standard (PCI DSS) Compliance

PCI DSS is a set of industry-mandated requirements that applies to any business that handles, processes, or stores credit cards regardless of the its size or location.

Authgear does not fall into that category, as we do NOT store any financial data nor process payments.

Security Measures from Data Centers

Google-managed data centers are certified with ISO 27001. Google has many years of experience in securing data and handling emergencies at large-scale data centers all over the world, and they have applied this experience to GCP and its infrastructure.

These facilities are one of the safest residence for your data, with a world-wide industry-leading security team works 24/7 monitoring and constantly improving the security measures. Data is distributed across multiple machines in different locations with various backups replicated to avoid a single point of failure. Backup data is chunked for random distribution to add an extra layer of security, making it not human-readable.

Physically, secure perimeter defense systems, comprehensive camera coverage and 24/7 guard teams are deployed to prevent any unauthorized access. Plus, data center staffs are trained to be security minded, and their access to the facilities is immediately revoked once they do not have a need for these privileges.

Regular tracking and monitoring are applied to hard drives at these facilities as well, and when one has reached the end of it life, it will be destroyed through a thorough, multi-step process.

Environmental Safeguards

Fire Detection and Suppression
Robust disaster recovery measures are applied in place. In the event of a fire or other physical disruption, data is shifted automically to other data centers, allowing the users to work uninterrupted.

Power
Power failure is also considered, with backup generators installed in response to that.

Climate and Temperature Control
Climate control is required to maintain a constant operating temperature for servers and other hardware, which prevents overheating and reduces the possibility of service outages. Data centers are designed to maintain atmospheric conditions at optimal levels. Monitoring systems and data center personnel ensure temperature and humidity are at the appropriate levels.

Network Security

Firewalls
Firewalls are utilized to restrict access to systems from external networks and between systems internally. By default, all access is denied and only explicitly allowed ports and protocols are allowed based on business need. Each system is assigned to a firewall security group based on the system’s function. Security groups restrict access to only the ports and protocols required for a system’s specific function to mitigate risk.

Spoofing and Sniffing Protections
Managed firewalls prevent IP, MAC, and ARP spoofing on the network and between virtual hosts to ensure spoofing is not possible. Packet sniffing is prevented by infrastructure including the hypervisor which will not deliver traffic to an interface which it is not addressed to. Authgear utilizes application isolation, operating system restrictions, and encrypted connections to further ensure risk is mitigated at all levels.

Port Scanning
Port scanning is prohibited and every reported instance is investigated by our infrastructure provider. When port scans are detected, they are stopped and access is blocked.

Data Security

Customer data is stored in separate access-controlled databases per application. Customers with multiple applications are assigned separate databases per application to mitigate the risk of unauthorized access between applications.

System Security

System Configuration
System configuration and consistency are maintained through standard up-to-date images, configuration management software, and by replacing systems with updated deployments. Systems are deployed using verified and safe images that are updated with configuration changes and security updates before deployment. Once deployed, existing systems are decommissioned and replaced.

System Authentication
Operating system access is limited to Authgear staffs only and requires username, key and multi-step authentication. Operating systems do not allow password authentication to prevent password brute-force attacks, theft, and sharing.

Disaster Recovery

Authgear is designed for stability and scaling, and inherently mitigates common issues that lead to outages while maintaining recovery capabilities. Our platform maintains redundancy to prevent single points of failure, and is able to replace failed components.

Access to Customer Data

Authgear staff does not access or interact with customer data or applications as part of normal operations. There may be cases where Authgear is requested to interact with customer data or applications at the request of the customer for support purposes or where required by law. Authgear may also inspect customer data to debug and troubleshoot platform issues.
Try Authgear - it's awesome!
Talk to us
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Looking for resources?