ContentsWhere is my data stored?What infrastructure do you run on?Can Gather employees access my data?How are passwords stored?Is data encrypted in transit between networks?How is security thought about at Gather?Do you provide 2-factor authentication?PCI DSSDo you have a contact for security?
Noticed an error?Let us know
2 min read
We understand that by using Gather, you're trusting us with your most important asset: your customer data. The safety and security of that data is our highest priority as a company. Enforcing strict security is a multi-layered problem and we make the utmost effort to ensure best practices at every level.
Your customer data stored in Gather can come from two places: your internal systems via your use of our API or from integrations. We store this data in the same database to provide filterable, sortable, and searchable views that aggregate data from multiple sources. Data for customers on our standard tier is stored in a multi-tenant database. For our enterprise customers, data can can be stored in a managed database, isolated from other customers. On-prem deployments can also be supported.
We store credentials for the integrations you enable, but these are encrypted at-rest using regularly rotated keys stored in Google KMS. We also store metadata for any actions run within Gather, but here we only store the ID of the entity that the action was run for (for example, a customer ID).
Data is further encrypted at disc-level by Google Cloud Platform.
We run entirely on Google Cloud Platform. Our servers are run within a secure VPC with only the necessary hosts/ports exposed to the internet.
No. Only members of your team are able to access your customer data. Our employees are not given
shell access to any of our servers and all data access requires access to your encrypted database credentials. Our IAM permissions are such that it's not possible for Gather employees to access or decrypt these credentials.
Our user authentication system uses BCrypt to hash and salt user passwords. We enforce strong password policies for all users in the product. This helps ensure safety for all our users who would otherwise put themselves at unnecessary risk.
Yes. All traffic from your browser, to our servers, and to our database are all encrypted using 256-bit AES Transport Level Security (TLS). Non-encrypted access to our API or database is not allowed. SSL certificates are issued and managed with Lets Encrypt.
Security is built into our day-to-day development practices. We maintain high awareness of potential security issues through rigorous code review, automated and manual testing, and scheduled penetration testing.
We are building this now and will be releasing this feature soon.
Our payments provider Stripe has been audited by an independent PCI Qualified Security Assessor and is certified as a PCI Level 1 Service Provider.
Yes, please email firstname.lastname@example.org with any concerns, questions, or reports related to security.