Gigya is ISO 27001-certified and is registered with IQNet. Gigya invests considerable resources to ensure that the assets our customers entrust to us are safeguarded at all times by employing industry best practices and consistently keeping our information identity management security system and security practices up-to-date with the latest and most stringent policies and regulations.
Gigya has published a very detailed Self-Assessment Report to the Cloud Security Alliance STAR program in order to allow our customers to review our compliance with current security and privacy best practices.
Physical security is maintained by SSAE16-certified Equinix IBX in our US data center, and stringently enforced in our Australian and European data centers. All data centers offer multiple physical security layers, including armed guards, advanced intrusion detection technologies and strict permission access protocols.
App Development Security
Security considerations play an integral role in every step of the product development process. During product specification, technical design, development and testing, security measures are continually tested, optimized and implemented. Gigya uses the OWASP top 10 list as a high-level security guideline during development.
OWASP guidelines can be found here: https://www.owasp.org/index.php/Main_Page
Security At Rest
Gigya implements ISO 27018:2014-certified measures to protect Personally Identifiable Information (PII) by transparently encrypting all PII and other sensitive data at rest by default using the AES-256 algorithm. Passwords are hashed using the NIST-approved PBKDF2 algorithm. In addition, to further protect access to the data, Gigya uses HMAC-SHA1 to digitally sign its requests and requires customers using the APIs to sign their requests to Gigya servers with the same algorithm. Alternatively, Gigya offers API access that is fully OAuth2.0-compliant.
Access to information via Gigya’s Administration Console is also protected through a two-factor authentication process and a powerful roles and permissions architecture, providing site administrators granular control over what individual system users can see and do.
Security In Motion
Gigya uses a secure channel (TLS) when transferring sensitive data to and from its servers. In addition, REST API calls that perform critical operations, such as deleting users, are only permitted as server-to-server signed requests.