Serious about your security? We are too

General information

Data security is our top priority. We take every step to ensure that information security is maintained not just by safeguarding infrastructure and product, but also by performing threat-mitigation activities and penetration tests. By protecting your data, we're safeguarding our business, so you can trust us to protect your interests.

User permissions

Our server and data permissions are managed through IAM solutions to ensure only authorized users can access the different data objects throughout the spend management software.

Hosting and server information

With Ignite, your data is always safe and processed by cloud providers that are secure and dependable.

Data storage at rest encryption (AES-256), data transit via TLS

• Our data in databases is encrypted using the 256-bit Advanced Encryption Standard (AES-256). These data keys are themselves encrypted using a key stored in a secure keystore, and changed regularly.
• All communication should be encrypted, not only for server-to-client communication but also from server-to server inside a data center. Therefore, for all relevant services, TLS connections are enforced with certificates generated from “Let’s Encrypt”.

Threat detection and protection

Threat Detection: both host and network based Intrusion Detection System (IDS) that scans for viruses, malware, vulnerabilities etc on all our static assets (generated and uploaded) on several levels and provides threat detection for intrusions, malware, spyware, and command-and-control attacks on our network. Our IDS works by creating a peered network . Traffic in the peered network is mirrored, and then inspected by threat protection technologies to provide advanced threat detection.

In addition, Ignite secures and ensures the reliability of our external-facing resources including websites, APIs, and applications. Our CDN service provides DDoS protection, rate limiting, API protection and Web Application Firewall (WAF) to protect and secure Internet properties against denial-of service attacks, customer data breaches, and abusive bots.

Key and secret management

Platform secrets such as API Access Keys and encryption secrets are stored in two different places. API access keys are stored as environment variables on the server where the access is strictly controlled by IAM and in encrypted files in a private repository using Blackbox. In addition, the application secrets are managed by Secret Manager which provides a central place and single source of truth to manage, access, and audit secrets.

The platform uses a password stretching mechanism recommended by NIST to hash passwords before they are stored in the database. This means that the real passwords are never stored on the platform and is only validated against the hash every time a user signs into the platform.

JSON web tokens and invalidation procedures

In order to access the platform through a web browser, the user needs a valid JSON Web Token. JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed by a secret key stored.

The tokens have a short expiry so that if a user does not interact with the platform within a certain amount of time, they will have to sign in again.

Single sign-on

Ignite ́s Single Sign-On (SSO) implementation prioritizes security. We aggressively monitor linked accounts and disable them with any reasonable sign that the account’s access has been revoked. SSO also improves user experience by streamlining login and improving access from trusted domains. Ignite currently offers SSO via Azure AD.