How Secure is GoodAccess?

The security of our platform and its users is of paramount importance to us. Learn more about the security measures we use and standards we follow.

Table of Contents

Protection of GoodAccess Gateways

Encryption Protocols

Authentication Methods to GoodAccess

Penetration Testing

GoodAccess Bug Bounty Program

Ownership Transparency

GDPR Compliance

SOC2 Compliance

ISO 27001 Compliance

What Information Do We Store?

GoodAccess Partners' Security Standards

Protection of GoodAccess Gateways

From the point you connect to a gateway (dedicated cloud VPN server) in your preferred location, all the data sent and received is hidden from discovery and encrypted via a secure tunnel. We are aware that the gateways are one of the most important parts of GoodAccess, so we put a significant amount of effort into their protection. Access to the gateways is secured against brute-force attacks, which protects them from dictionary attacks, credential stuffing and other malicious techniques that may cause leakage of sensitive data and malfunction of the server. Also, only certificate-based access is allowed.

Encryption Protocols

GoodAccess gateways support IKEv2/IPSec and OpenVPN protocols to establish a secure tunneled interconnection between a user's devices and the desired IT resources. Both are designed to use strong (unbroken) ciphers and algorithms, TLS authentication, MitM protection, Perfect Forward Secrecy, etc. Wireguard implementation is on our roadmap for 2022.

Authentication Methods in GoodAccess

When using GoodAccess, you are assigned either a Team Member or Admin role. Each role has a different choice of authentication methods to prevent unauthorized access and misuse of sensitive data.

Admin View (to access Control Panel)

Team Member View (to login to GoodAccess client app):

Penetration testing

We believe that if you’re developing a service that thousands of users rely on in their daily operations, it is crucial to run regular checks by a second (and third) pair of eyes. Therefore, GoodAccess is subjected to continual penetration tests from two different cyber security companies, whose teams consist of security specialists and certified ethical hackers. We appreciate the long-term trusted partnership with both companies that allows us to run so called white-box and black-box pen tests. During these tests, the tester, an ethical hacker, has full knowledge of and access to a majority of the software source code, which turns out to be a very effective testing method.

The tests cover the following product parts:

GoodAccess Bug Bounty Program

As a still another way to improve the security of our products, we are constantly looking for new ways to secure servers, apps, connections and GoodAccess users. This is why we also run a bug bounty program. We appreciate everyone who contributes and helps us to keep our product secured. If you find any vulnerability or security bug, please let us know at security@goodaccess.com and we’ll reward you with gift cards that we have prepared for this purpose.

Ownership Transparency

GoodAccess is a privately held, independent company based in the Czech Republic, Europe, that follows European law.

Legal Information:
GoodAccess s.r.o.
Spitalske namesti 3517/1b
400 01 Usti nad Labem
Czech Republic, Europe
VAT ID : CZ03513386

GDPR Compliance

GoodAccess is compliant with GDPR. As we're located within the EU, we are legally obliged to do so. Besides sticking to GDPR regulations, we also follow ISO 27001, SOC2 best practices.

SOC2 Compliance

GoodAccess is SOC2-certified. We adhere to strict internal controls over our information systems and their users, and maintain high standards of security, availability, confidentiality, processing integrity, and privacy.

ISO 27001 Compliance

GoodAccess is certified in the ISO/IEC 27001 standard. We possess a comprehensive matrix of security controls and other forms of risk management, and adhere to internal processes that maintain a high information security on an ongoing basis.

What Information Do We Store?

We need to store some personal data of active customers, which is needed to operate our services and for compliance reasons. We also keep contact information to alert customers when fraudulent activity is detected in their network and to share important information about the product and subscription. All our data storage is fully compliant with the strictest GDPR rules.

We have no visibility into the customer's data and content of the communication. GoodAccess:

We keep a minimum number of necessary logs because GoodAccess is a business solution. Logs are stored as a service for customers (access logs for security and compliance reasons) and for successful customer identification when we need to pursue our legal interests. These logs contain: timestamps of the beginning and the end of the connection, volume of data transferred, source IP and gateway used by the customer. We keep the logs for 3 months at the most.Read the GoodAccess Privacy Policy to learn more.

How Do We Evaluate our Partners' Security

Careful selection of business partners is a cornerstone for delivering the best possible service. Service providers we partner with are compliant and certified by ISO 27001 and SOC2, data centers where we run our servers have ISO 27001 and SOC2 certification at the minimum, most are also compliant with PCI DSS, SOC1, NIST 800-53 PE.