Geckoboard Security

We know your metrics are extremely important to you and your business. Our team works continuously to protect the privacy, security and integrity of your account and data. The security of your information is required for our success as a business and we take steps every day to provide a secure Geckoboard experience for you.

 

Physical Security

We ensure that the machines within the Geckoboard infrastructure are protected from the ground up. We use Amazon Web Services (AWS) for our hosting. AWS is an industry leader and provides a highly scalable cloud computing platform with end-to-end security and privacy features built in.

Access to these data centers is strictly controlled and monitored using a variety of physical controls, intrusion detection systems, environmental security measures, 24 x 7 on-site security staff, biometric scanning, multi-factor authentications, video surveillance and other electronic means. All physical and electronic access to data centers by Amazon employees is authorized strictly on a least privileged basis and is logged and audited routinely.

AWS maintains an impressive list of reports, certifications and independent assessments — including ISO 9001, PCI DSS Level 1, SOC1, SOC2, SOC3, the EU Data Protection Directive (Directive 95/46/EC) among others — to ensure complete and ongoing state-of-the-art data center security. They've devoted an entire portion of their site to explaining their security measures and compliance certifications which you can find here:https://aws.amazon.com/security/ and here: https://aws.amazon.com/compliance/

Geckoboard employees do not have physical access to our servers in AWS. Electronic access to AWS servers and services is restricted to a core set of approved Geckoboard staff only.

Back to top

 

Data Security

Passwords

All passwords for Geckoboard accounts are filtered from our logs and are one-way encrypted in the database using the bcrypt (salted) hash function. Login information is always sent over HTTPS (see “Communication Security”).

Nobody on the Geckoboard team can view your account password. If you lose your password, you will need to go through our password reset procedure, which will email you a link to choose a new password.

Credentials for Third-Party Services

When you connect Geckoboard to a third party service we store credentials that allow us to fetch data from that service. We use these credentials to continuously update your dashboards with the latest information available. If the third party service allows us to choose how much of your data we can access, we will always request the minimum amount of data necessary to configure widgets and update your dashboards.

We encrypt credentials for these services with the AES-GCM cipher before storing them in our database, and we use a different 256 bit encryption key for each service.

Usage of these encryption keys is controlled by a tool called Vault (developed by HashiCorp) that we run within our infrastructure. Vault acts as a gatekeeper, ensuring that only specific applications within our system are allowed to access your data. Vault has been audited several times by independent security experts, and we closely monitor announcements from HashiCorp to ensure we’re always running the most secure version of Vault. See “Application, Systems and Software Security” for more details.

Data Redundancy and Backups

We ensure that all customer account and dashboard data is regularly backed up. Access to these backups is tightly controlled, and audited.

Back to top

 

Network Security

All servers and databases are firewalled to permit the minimum traffic necessary to run the service. Access to administration tooling used by Geckoboard staff requires authentication, and is only accessible from a restricted set of IP addresses.

Back to top

 

Application, Systems and Software Security

We adhere to industry best practices when developing applications for Geckoboard. All changes made to our applications and infrastructure are peer reviewed by a separate member of staff, and the changes are recorded in an audit log.

We have a designated team that keeps our software and its dependencies up to date, eliminating any potential security vulnerabilities. We employ a wide range of monitoring solutions for preventing and eliminating attacks to the site.

Back to top

 

Communications Security

All communication between your computer and Geckoboard is encrypted using HTTPS (256-bit TLS). This is the same level of encryption used by banks and financial institutions, and is designed to prevent third parties from seeing sensitive information you are sending to/receiving from Geckoboard.

We also use HTTPS when fetching your data from third party services.

There are three exceptions where we cannot use HTTPS:

* When you specify a URL that does not use HTTPS for a polling widget

* You use an integration with an API that does not support HTTPS

* You use a custom domain to access your Geckoboard account

Back to top

 

Security and Privacy Features Available in Geckoboard

The highest security risk to any system is usually the behavior of its users. We provide you with the tools you need to protect your own data. These Geckoboard features have been designed keeping in mind stringent, enterprise-level security requirements.

User and Admin Account Security

We provide a role-based administration system for user accounts. There are 2 roles: read-only user and admin; each with different permissions. More details on read-only user and admin accounts.

Dashboard URL Security

Dashboard URLs are generated using a cryptic hash and are impossible to guess. Thus, access to even publicly shared dashboards is virtually impossible without explicit access to the Sharing URL.

Private Dashboards

Dashboards can be kept private and shared with only a specific set of people using the read-only user and admin accounts feature.

Restrict Dashboard access by IP

Access to dashboards can be restricted to specific networks and devices. Details on using this feature can be found here.

Using Geckoboard from behind firewalls

Geckoboard is a cloud-based SaaS service designed to work out of the box from behind firewalls and proxies. Therefore, your existing security is left altogether intact.

If you are using integrations, or polling widgets that require access to protected resources within your network, please whitelist Geckoboard's outbound IP addresses.

Back to top

 

Employee Access and Security

We regard your business metrics as private and confidential to your team.

Our production environment is completely separate from the other environments — including development and QA. AWS provides sophisticated Identity Access Management (IAM) to control access to its resources. We disable root logins on all our servers, and require all staff managing servers to use SSH keys.

Geckoboard employees are granted access to systems and data based on their role in the company or on an as-needed basis.

Access to customer data by Geckoboard employees is only used to assist with support and to resolve customer issues. For such cases, we will get your explicit consent each time. Violation of this policy is a serious matter requiring investigation and appropriate disciplinary action up to and including termination, as well as legal action.

When working on a support issue we do our best to respect your privacy as much as possible and only access the minimum data needed to resolve your issue.

Back to top

 

Maintaining Security

Geckoboard adheres to industry best practices for design and development. We always thoroughly test new features in order to rule out potential attacks such as CSRF, XSS, SQL injections, among others.

We constantly improve our security policies as the threat landscape changes. We subscribe to all relevant security bulletins so that we can promptly address any security issues in the software we use.

Back to top

 

Credit Card Security

When you purchase a paid Geckoboard subscription, your credit card data is not transmitted through nor stored on our systems. All of Geckoboard’s credit card processing is handled securely by Recurly — a company dedicated to this task.

Recurly is certified to PCI Service Provider Level 1 — the most stringent level of certification available. You can read more about their privacy and security policies here:https://recurly.com/legal/privacy and here: https://recurly.com/security/

Back to top

 

Privacy Policy

Your privacy is of paramount importance to us. Our Privacy Policy outlines specific details about how we safeguard information.

Back to top

 

Need to report a security vulnerability?

When a potential security vulnerability is reported, it is handled with the highest priority until properly addressed. You can find our responsible disclosure policy and submit a vulnerability report here.

Back to top

Was this article helpful?
👍

Thank you for your feedback!