DATA PRIVACY AND SECURITY
Serious about your security? We are too
- Our responsibility to protect the data of our customers is a heavy one, and we take it seriously. When you entrust your spend data to Ignite, you can be assured of our commitment to safeguarding your information and meeting the highest levels of security.
Ignite complies with GDPR standards and regulations that help to protect data and give customers peace of mind.
Data security is our top priority. We take every step to ensure that information security is maintained not just by safeguarding infrastructure and product, but also by performing threat-mitigation activities and penetration tests. By protecting your data, we're safeguarding our business, so you can trust us to protect your interests.
Our server and data permissions are managed through IAM solutions to ensure only authorized users can access the different data objects throughout the spend management software.
Hosting and server information
With Ignite, your data is always safe and processed by cloud providers that are secure and dependable.
Data storage at rest encryption (AES-256), data transit via TLS
- Our data in databases is encrypted using the 256-bit Advanced Encryption Standard (AES-256). These data keys are themselves encrypted using a key stored in a secure keystore, and changed regularly.
- All communication should be encrypted, not only for server-to-client communication but also from server-to server inside a data center. Therefore, for all relevant services, TLS connections are enforced with certificates generated from “Let’s Encrypt”.
Threat detection and protection
Threat Detection: both host and network based Intrusion Detection System (IDS) that scans for viruses, malware, vulnerabilities etc on all our static assets (generated and uploaded) on several levels and provides threat detection for intrusions, malware, spyware, and command-and-control attacks on our network. Our IDS works by creating a peered network . Traffic in the peered network is mirrored, and then inspected by threat protection technologies to provide advanced threat detection.
In addition, Ignite secures and ensures the reliability of our external-facing resources including websites, APIs, and applications. Our CDN service provides DDoS protection, rate limiting, API protection and Web Application Firewall (WAF) to protect and secure Internet properties against denial-of service attacks, customer data breaches, and abusive bots.
Key and secret management
Platform secrets such as API Access Keys and encryption secrets are stored in two different places. API access keys are stored as environment variables on the server where the access is strictly controlled by IAM and in encrypted files in a private repository using Blackbox. In addition, the application secrets are managed by Secret Manager which provides a central place and single source of truth to manage, access, and audit secrets.
The platform uses a password stretching mechanism recommended by NIST to hash passwords before they are stored in the database. This means that the real passwords are never stored on the platform and is only validated against the hash every time a user signs into the platform.
JSON web tokens and invalidation procedures
In order to access the platform through a web browser, the user needs a valid JSON Web Token. JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed by a secret key stored.
The tokens have a short expiry so that if a user does not interact with the platform within a certain amount of time, they will have to sign in again.
Ignite ́s Single Sign-On (SSO) implementation prioritizes security. We aggressively monitor linked accounts and disable them with any reasonable sign that the account’s access has been revoked. SSO also improves user experience by streamlining login and improving access from trusted domains. Ignite currently offers SSO via Azure AD.
You can feel confident that your data with us is secure and confidential. Our SOC 2 compliance certification guarantees this, and we go the extra mile to show that you can trust us.