Glofox Security: Fitness Management Software You Can Trust
The security of your data is critically important to us, which is why we are constantly reviewing and improving our processes to ensure your data remains safe.
Here, you will learn about the technologies and processes that we use to secure your data and answers some of your frequently asked questions.
Data security is a top priority for us here at Glofox. We have significantly invested in our security infrastructure to date and we will continue to invest in our infrastructure to ensure your data remains safe.
Glofox’s Information Security Management System (ISMS) has also been certified to the Global ISO 27001:2013 standard.
The Glofox platform is hosted in European AWS data centers: ISO 27001, PCI DSS Service Provider Level 1, and SOC 2 compliant. AWS data centers are secured physically at the perimeter layer, including several security features depending on the location. These features include security guards, fencing, security feeds, intrusion detection technology, and other security measures.
Security and incident response team
The Glofox SRE Team is able to respond to outages and security incidents around the clock, through a 24/7 on-call rotation.
Architecture and Network security
The Glofox architecture makes use of AWS private networks and services to protect private and sensitive data. Access to these networks and services is restricted to specific users and applications, on a least-privilege principle basis. All users require Multi-Factor Authentication to gain access to private resources. Additionally, any datastore categorised as holding PII is configured with additional monitoring and auditing capabilities.
Third-party security testing
The Glofox platform is assessed by a third-party security team for security vulnerabilities on a monthly basis. Additionally, this team also performs deep-dive Penetration Testing against the Glofox platform twice a year.
Suspicious activity monitoring
The Glofox infrastructure is configured to monitor suspicious activity and anomalous behaviour. These events are escalated for immediate action to the on-call incident response team.
Glofox relies on several layers of DDoS protection to prevent malicious actors from compromising service availability. This includes the use of Cloudflare, AWS CloudFront, AWS WAF v2, as well as automated scaling of the Glofox backend services to handle increases in load.
Communication with Glofox systems is encrypted via HTTP/TLS to secure traffic in transit. All data is also encrypted at rest in AWS.
Status and uptime
The Glofox status page is available to track the platform status and other maintenance and security related information.
The Glofox infrastructure is spanning across multiple AWS availability zones to ensure application redundancy and database replication without a single point of failure. The Glofox platform is consistently available with a higher than 99.9% uptime.
The Glofox platform is constantly monitored for uptime, errors and performance. Relevant thresholds are in place to alert the on-call teams to respond to possible outage or incidents.
Glofox databases are backed up on a daily, weekly and monthly basis, with a 6-months retention policy. These backups offer point-in-time recovery which can be used in Disaster Recovery situations.
Glofox has developed a comprehensive set of security policies that have been shared with and made available to all employees and contractors with access to Glofox.
Security Awareness Test
All Glofox employees complete a Security Awareness Test to ensure their security knowledge is up to scratch and that they are aware of security best practices.
All new hires are required to sign confidentiality agreements.
FREQUENTLY ASKED QUESTIONS
Is my client’s payment information stored on your system?
No. Our Partner Stripe and GoCardless store payment information and they both are certified to the highest industry standards and have obtained regulatory licenses around the world.
By what measures does your organisation monitor the effectiveness of, and level of compliance with its information security policies?
All employees undergo IT security training. Each employee will be required to take the training and pass an awareness test. This will be maintained on an annual basis.
Can you provide SOC or other 3rd party audit reports?
We can provide 3rd party assessments and pen tests on our infrastructure.
Who will have access to our data?
Restricted Glofox employees, with different access control policies based on the employee role for support purposes.
What provider do you use for your servers?
Amazon Web Services.