pic

Your information is safe with Gpass

Gpass is from SplashData, a company that has a well-established track record of delivering password management and security solutions to millions of individual and business customers since 2000.

Read the Gpass security whitepaper

Gpass Statement on Security

Our infrastructure and security team includes people who’ve played lead roles in designing, building, and operating highly secure Internet facing systems.

We work closely with the best partners we can find — like amazon for hosting and Stripe for payments — that focus exclusively on maintaining leadership in their particular areas of security expertise.

Most importantly, we respect your privacy and the security of your records. Everything we do at Gpass is built around that respect and designed to maintain your privacy and security. We would never do anything with your data that we wouldn’t be proud to tell the world about.

As you continue to learn more about Gpass, we recommend you also review our Terms of Use and Privacy Policy.

Infrastructure
• With Gpass, you have the option of how you want your data hosted. You can host Gpass yourself on premises, or you always have the option of choosing to host services in cloud servers managed by Rackspace, whom we believe to be the best in the business at managing secure cloud services. Gpass does not run its own routers, load balancers, DNS servers, or physical servers.
• All our hosted services and data are managed in Rackspace facilities in the USA. Our hosted services have been built with disaster recovery in mind.
• All Gpass hosted servers are within a virtual private cloud (VPC) with network access control lists (ACL’s), firewalls, and an Intrusion Detection System (IDS) that together help prevent any unauthorized requests.

Service Levels
For our Gpass hosted services, we have uptime of 99.9% or higher. You can check our past statistics at: http://status.gpass.io

Data Security
• All customer data is stored in the USA.
• Customer data is stored in multi-tenant datastores; we do not have individual datastores for each customer. All data is stored using 256-bit AES encryption with multiple keys. We maintain strict privacy controls in our application code to ensure data privacy. We have regular unit and integration tests to ensure these privacy controls work as expected.

Data Transfer
• Our API and application endpoints are TLS/SSL only and score an “A” rating on SSL Labs’ tests. This means we only use strong cipher suites and have features such as HSTS and Perfect Forward Secrecy fully enabled.

Authentication
• Gpass is served 100% over https and authenticated using your Google account
• There are no corporate resources or additional privileges from being on Gpass network.
• We maintain and enforce strong password policies.

Application Monitoring
• On an application level, we produce audit logs for all activity.
• All access to Gpass applications is logged and audited.
• All actions taken on production consoles or in the Gpass application are logged.

Build Process Automation
• We have automation in place so that we can safely and reliably rollout changes to both our application and operating platform within minutes.
• We typically deploy code to the production environment multiple times a week.

Security Audits
• We engage with well-regarded “white hats” and independent services to audit our code base and work with us to resolve potential issues.
• Our ongoing auditing process allows us to do ad-hoc security analysis, track changes made to our setup and audit access to every layer of our stack.

Compliance
• Gpass complies with the U.S.-E.U. Safe Harbor Framework and the U.S.- Swiss Safe Harbor framework as set forth by the U.S. Department of Commerce regarding the collection, use and retention of personal data from European Union member countries and Switzerland.
• Gpass has certified that it adheres to the Safe Harbor Privacy Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement.

PCI Obligations
Gpass is not subject to PCI as all payment instrument processing is performed by a trusted partner that focuses exclusively on secure payment processing, Stripe.