Geckoboard security

Details of how we work to ensure that all transactions, connections, and access is kept secure at all times.

Updated over a week ago

We know your metrics are extremely important to you and your business. Our team works continuously to ensure that all transactions, connections, and access are kept secure at all times.

Data security

Physical security

Geckoboard uses Amazon Web Services (AWS) for our hosting. AWS is an industry leader and provides a highly scalable cloud computing platform with end-to-end security and privacy features built in.

Access to these data centers is strictly controlled and monitored using a variety of physical controls, intrusion detection systems, environmental security measures, 24 x 7 on-site security staff, biometric scanning, multi-factor authentications, video surveillance and other electronic means. All physical and electronic access to data centers by Amazon employees is authorized strictly on a least privileged basis and is logged and audited routinely. Learn more

AWS maintains an impressive list of reports, certifications and independent assessments — including ISO 9001, PCI DSS Level 1, SOC1, SOC2, SOC3, the EU Data Protection Directive (Directive 95/46/EC) among others — to ensure complete and ongoing state-of-the-art data center security.

Geckoboard employees do not have physical access to our servers in AWS. Electronic access to AWS servers and services is restricted to a core set of approved Geckoboard staff only.

Password and credential storage

All passwords for Geckoboard accounts are filtered from our logs and are one-way encrypted in the database using the bcrypt (salted) hash function. Login information is always sent over HTTPS (see “Communication Security”).

Nobody on the Geckoboard team can view your account password. If you lose your password, you must go through our password reset procedure, which will email you a link to choose a new password.

Credit card security

Geckoboard is PCI DSS compliant. When you purchase a paid Geckoboard subscription, your credit card data is not transmitted through or stored on our systems. All of Geckoboard’s credit card processing is handled securely by Recurly, a company dedicated to this task.

Recurly is certified to PCI Service Provider Level 1 – the most stringent level of certification available. You can read more about their privacy and security policies here and here.

Communications security

All communication between your computer and Geckoboard is encrypted using HTTPS (128-bit TLS). This is the same level of encryption used by banks and financial institutions and is designed to prevent third parties from seeing sensitive information you send to/receive from Geckoboard.

We also use HTTPS to fetch your data from third-party services.

There are three exceptions where we cannot use HTTPS:

  • When you specify a URL that does not use HTTPS for a polling widget

  • When you use an integration with an API that does not support HTTPS

  • When you use a custom domain to access your Geckoboard account

Product security

Permissions and authentication for third-party services

When you connect Geckoboard to a third-party service, we store credentials that allow us to fetch data from that service. We use these credentials to continuously update your dashboards with the latest information available. If the third-party service allows us to choose how much of your data we can access, we will always request the minimum amount of data necessary to configure widgets and update your dashboards.

We encrypt credentials for these services with the AES-GCM cipher before storing them in our database, and we use a different 256-bit encryption key for each service.

Usage of these encryption keys is controlled by a tool called Vault (developed by HashiCorp) that we run within our infrastructure. Vault acts as a gatekeeper, ensuring that only specific applications within our system can access your data. Vault has been audited several times by independent security experts, and we closely monitor announcements from HashiCorp to ensure we’re always running the most secure version of Vault. See “Application, Systems and Software Security” for more details.

Role-based access controls

We provide a role-based administration system for user accounts. There are four roles: owners, admins, organization view-only users and dashboard view-only users, each with different permissions. Learn more

Dashboard URL security

Dashboard URLs are generated using a cryptic hash, making access to publicly shared dashboards virtually impossible without explicit access to the dashboard link.

Private dashboards

Dashboards can be kept private and shared with only a specific set of people using the Share feature.

IP restrictions

Access to dashboards can be restricted to specific networks and devices using the Allowed device IP addresses feature.

Using Geckoboard from behind firewalls

Geckoboard is a cloud-based SaaS service designed to work out of the box from behind firewalls and proxies. So, your existing security is left entirely intact.

If you're using integrations or polling widgets that require access to protected resources within your network, you can use Geckoboard's outbound IP addresses to include.

Maintaining security

Employee access and security

Geckoboard employees do not have physical access to our AWS servers. Geckoboard employees are only granted access to systems and data based on their role in the company or on an as-needed basis.

No customer data is stored on employee laptops, and we enforce full-disk encryption and automatic log-out after a fixed period of inactivity.

Our QA approach

We adhere to industry best practices when developing applications for Geckoboard. All changes made to our applications and infrastructure are peer-reviewed by a separate staff member, and the changes are recorded in an audit log.

We have a designated team that keeps our software and its dependencies up to date, eliminating potential security vulnerabilities. We employ a wide range of monitoring solutions to prevent and eliminate site attacks.

Report a security vulnerability

We welcome reports from security researchers and experts about possible security vulnerabilities with our service.

When a potential security vulnerability is reported, it is handled with the highest priority until adequately addressed. You can find our responsible disclosure policy and submit a vulnerability report here.

Third-party pen tests

In addition to our internal testing and Bug Bounty Program, Geckoboard employs third-party security experts to perform detailed penetration tests on the Geckoboard application each year.

Business continuity

Business continuity program

Geckoboard's Business Continuity Program ensures resiliency, recoverability, and contingency from significant business disruption, such as local or regional events like natural disasters, fires, power outages, acts of malice, and technical or infrastructure disruption. Business Continuity focuses on ensuring Geckoboard's critical business functions and technologies will continue to operate despite a significant disruption that might otherwise have caused an interruption or will be recovered to an operational state within a reasonably short period.

Environmental disruptions

AWS's business continuity management plan ensures resiliency, recoverability, and contingency from significant business disruption, such as local or regional events like natural disasters, fires, power outages, acts of malice, and technical or infrastructure disruption.

Data redundancy and backups

We ensure that all customer account and dashboard data is regularly backed up. Access to these backups is tightly controlled and audited.

Your Privacy

Privacy policy

Your privacy is of paramount importance to us. Our Privacy Policy outlines specific details about how we safeguard information.

Personal data and information

Your personal data and information are entirely private and secure on Geckoboard.

We have tight security policies and controls regarding customer data access. In addition, everyone in the company is aware of their responsibilities regarding personal data in the context of GDPR.

Geckoboard and GDPR

At Geckoboard, we fulfil our obligations and maintain transparency in customer messaging and data usage. Learn more

Did this answer your question?