We ensure that the machines within the Geckoboard infrastructure are protected from the ground up. We use Amazon Web Services (AWS) for our hosting. AWS is an industry leader and provides a highly scalable cloud computing platform with end-to-end security and privacy features built in.
Access to these data centers is strictly controlled and monitored using a variety of physical controls, intrusion detection systems, environmental security measures, 24 x 7 on-site security staff, biometric scanning, multi-factor authentications, video surveillance and other electronic means. All physical and electronic access to data centers by Amazon employees is authorized strictly on a least privileged basis and is logged and audited routinely.
AWS maintains an impressive list of reports, certifications and independent assessments — including ISO 9001, PCI DSS Level 1, SOC1, SOC2, SOC3, the EU Data Protection Directive (Directive 95/46/EC) among others — to ensure complete and ongoing state-of-the-art data center security. They've devoted an entire portion of their site to explaining their security measures and compliance certifications.
Geckoboard employees do not have physical access to our servers in AWS. Electronic access to AWS servers and services is restricted to a core set of approved Geckoboard staff only.
Password and credential storage
All passwords for Geckoboard accounts are filtered from our logs and are one-way encrypted in the database using the bcrypt (salted) hash function. Login information is always sent over HTTPS (see “Communication Security”).
Nobody on the Geckoboard team can view your account password. If you lose your password, you will need to go through our password reset procedure, which will email you a link to choose a new password.
Credit Card Security
Geckoboard is PCI DSS compliant. For additional security, when you purchase a paid Geckoboard subscription, your credit card data is not transmitted through nor stored on our systems. All of Geckoboard’s credit card processing is handled securely by Recurly – a company dedicated to this task.
Recurly is certified to PCI Service Provider Level 1 – the most stringent level of certification available. You can read more about their privacy and security policies here: https://recurly.com/legal/privacy and here: https://recurly.com/security/.
All communication between your computer and Geckoboard is encrypted using HTTPS (256-bit TLS). This is the same level of encryption used by banks and financial institutions, and is designed to prevent third parties from seeing sensitive information you are sending to/receiving from Geckoboard.
We also use HTTPS when fetching your data from third party services.
There are three exceptions where we cannot use HTTPS:
When you specify a URL that does not use HTTPS for a polling widget
When you use an integration with an API that does not support HTTPS
When you use a custom domain to access your Geckoboard account