At Authgear, we take data security extremely seriously, being both ISO 27001 and SOC 2 Type II compliant. This affirms our commitment to implementing and maintaining the highest standards of information security and operational integrity.
Feel free to reach us via our contact form for more details on our security certifications.
Authgear's physical infrastructure is hosted and managed within Google's secure data centers around the globe and utilizes the Google Cloud Platform (GCP) technology. Independent and thorough assessments on security, privacy and compliance controls are regularly conducted by Google to ensure they are up to industry standards. In fact, Google's data center operations have been accredited under:
On the other hand, Stripe, a PCI DSS Level 1 compliant payment gateway, is our choice for securing and processing card payments.
PCI DSS is a set of industry-mandated requirements that applies to any business that handles, processes, or stores credit cards regardless of the its size or location.
Authgear does not fall into that category, as we do NOT store any financial data nor process payments.
Google-managed data centers are certified with ISO 27001. Google has many years of experience in securing data and handling emergencies at large-scale data centers all over the world, and they have applied this experience to GCP and its infrastructure.
These facilities are one of the safest residence for your data, with a world-wide industry-leading security team works 24/7 monitoring and constantly improving the security measures. Data is distributed across multiple machines in different locations with various backups replicated to avoid a single point of failure. Backup data is chunked for random distribution to add an extra layer of security, making it not human-readable.
Physically, secure perimeter defense systems, comprehensive camera coverage and 24/7 guard teams are deployed to prevent any unauthorized access. Plus, data center staffs are trained to be security minded, and their access to the facilities is immediately revoked once they do not have a need for these privileges.
Regular tracking and monitoring are applied to hard drives at these facilities as well, and when one has reached the end of it life, it will be destroyed through a thorough, multi-step process.
Robust disaster recovery measures are applied in place. In the event of a fire or other physical disruption, data is shifted automically to other data centers, allowing the users to work uninterrupted.
Power failure is also considered, with backup generators installed in response to that.
Climate control is required to maintain a constant operating temperature for servers and other hardware, which prevents overheating and reduces the possibility of service outages. Data centers are designed to maintain atmospheric conditions at optimal levels. Monitoring systems and data center personnel ensure temperature and humidity are at the appropriate levels.
Firewalls are utilized to restrict access to systems from external networks and between systems internally. By default, all access is denied and only explicitly allowed ports and protocols are allowed based on business need. Each system is assigned to a firewall security group based on the system's function. Security groups restrict access to only the ports and protocols required for a system's specific function to mitigate risk.
Managed firewalls prevent IP, MAC, and ARP spoofing on the network and between virtual hosts to ensure spoofing is not possible. Packet sniffing is prevented by infrastructure including the hypervisor which will not deliver traffic to an interface which it is not addressed to. Authgear utilizes application isolation, operating system restrictions, and encrypted connections to further ensure risk is mitigated at all levels.
Port scanning is prohibited and every reported instance is investigated by our infrastructure provider. When port scans are detected, they are stopped and access is blocked.
System configuration and consistency are maintained through standard up-to-date images, configuration management software, and by replacing systems with updated deployments. Systems are deployed using verified and safe images that are updated with configuration changes and security updates before deployment. Once deployed, existing systems are decommissioned and replaced.
Operating system access is limited to Authgear staffs only and requires username, key and multi-step authentication. Operating systems do not allow password authentication to prevent password brute-force attacks, theft, and sharing.
Authgear is designed for stability and scaling, and inherently mitigates common issues that lead to outages while maintaining recovery capabilities. Our platform maintains redundancy to prevent single points of failure, and is able to replace failed components.
Authgear staff does not access or interact with customer data or applications as part of normal operations. There may be cases where Authgear is requested to interact with customer data or applications at the request of the customer for support purposes or where required by law. Authgear may also inspect customer data to debug and troubleshoot platform issues.
