The security of our platform and its users is of paramount importance to us. Learn more about the security measures we use and standards we follow.
From the point you connect to a gateway (dedicated cloud VPN server) in your preferred location, all the data sent and received is hidden from discovery and encrypted via a secure tunnel. We are aware that the gateways are one of the most important parts of GoodAccess, so we put a significant amount of effort into their protection. Access to the gateways is secured against brute-force attacks, which protects them from dictionary attacks, credential stuffing and other malicious techniques that may cause leakage of sensitive data and malfunction of the server. Also, only certificate-based access is allowed.
GoodAccess gateways support IKEv2/IPSec and OpenVPN protocols to establish a secure tunneled interconnection between a user's devices and the desired IT resources. Both are designed to use strong (unbroken) ciphers and algorithms, TLS authentication, MitM protection, Perfect Forward Secrecy, etc. Wireguard implementation is on our roadmap for 2022.
When using GoodAccess, you are assigned either a Team Member or Admin role. Each role has a different choice of authentication methods to prevent unauthorized access and misuse of sensitive data.
We believe that if you’re developing a service that thousands of users rely on in their daily operations, it is crucial to run regular checks by a second (and third) pair of eyes. Therefore, GoodAccess is subjected to continual penetration tests from two different cyber security companies, whose teams consist of security specialists and certified ethical hackers. We appreciate the long-term trusted partnership with both companies that allows us to run so called white-box pen tests. During these tests, the tester, an ethical hacker, has full knowledge of and access to a majority of the software source code, which turns out to be a very effective testing method.
Tests covers the following product parts:
As a still another way to improve the security of our products, we are constantly looking for new ways to secure servers, apps, connections and GoodAccess users. This is why we also run a bug bounty program. We appreciate everyone who contributes and helps us to keep our product secured. If you find any vulnerability or security bug, please let us know at security@goodaccess.com and we’ll reward you with gift cards that we have prepared for this purpose.
GoodAccess is a privately held, independent company based in the Czech Republic, Europe, that follows European law.
Legal Information:
GoodAccess s.r.o.
Spitalske namesti 3517/1b
400 01 Usti nad Labem
Czech Republic, Europe
VAT ID : CZ03513386
GoodAccess is compliant with GDPR. As we're located within the EU, we are legally obliged to do so. Besides sticking to GDPR regulations, we also follow ISO 27001, SOC2 best practices.
We need to store some personal data when you open an account that is needed to operate our services and for compliance reasons, to contact you when fraudulent activities are detected in your network and to provide important information about your product and subscription. The way we store data is fully compliant with the strictest GDPR rules.
We have no visibility into the customer's data and content of the communication. GoodAccess:
We keep a minimum number of necessary logs because GoodAccess is a business solution. Logs are stored as a service for customers (access logs for security and compliance reasons) and for successful customer identification when we need to pursue our legal interests. These logs contain: timestamps of the beginning and the end of the connection, volume of data transferred, source IP and gateway used by the customer. We keep the logs for 3 months at the most.Read the GoodAccess Privacy Policy to learn more.
Careful selection of business partners is a cornerstone for delivering the best possible service. Service providers we partner with are compliant and certified by ISO 27001 and SOC2, data centers where we run our servers have ISO 27001 and SOC2 certification at the minimum, most are also compliant with PCI DSS, SOC1, NIST 800-53 PE.