Security policy

At Gateway APIs, security is foundational to everything we build. Our infrastructure, processes, and partnerships are designed to protect your data and maintain the reliability of our platform at every level.

Platform security

API key management

API keys are securely generated and managed through our platform. We enforce scoped access, rate limiting, and rotation features to reduce exposure and enable fine-grained control.

Password security

Passwords are hashed using bcrypt and never stored in plain text. We enforce strong password creation standards and offer login alerts and audit logs for additional account protection.

Access control

Role-based permissions allow account owners to control access to usage logs, keys, webhooks, and organisational settings. This ensures sensitive API configurations remain protected.

Two-factor authentication (2FA)

We support 2FA via authenticator apps, providing an extra layer of protection against credential theft and unauthorised account access.

Infrastructure security

Hosting and data storage

All services are hosted on AWS, with environments segmented for production, staging, and development. Access to production systems is strictly limited and monitored.

Data encryption

All data is encrypted in transit using TLS 1.2+ and at rest using AES-256 encryption standards.

Backups and resilience

Regular automated backups are maintained across multiple availability zones. We test disaster recovery procedures periodically to ensure service continuity.

Monitoring and alerting

Real-time monitoring and alerting are in place to detect anomalies, API abuse, and unauthorised access. We log and analyse all access patterns across our services.

Security policies and audits

Security testing and audits

We conduct regular internal security reviews, dependency audits, and external penetration testing to identify and address vulnerabilities proactively.

Cybersecurity partnership

Gateway APIs works with DarkShield to perform routine security assessments and penetration testing of our infrastructure and platform endpoints.

Employee security training

All team members receive annual security awareness training and operate under signed confidentiality agreements. Access to production systems is limited to trained personnel.

Incident response

We have a defined incident response protocol that includes:

  • Immediate investigation and containment
  • Notification of affected users within required timeframes
  • Documentation, resolution, and future mitigation planning

If you suspect a security incident or vulnerability, please contact our security team immediately at [email protected].

Physical security

All data is stored in AWS data centres with industry-grade physical security including:

  • 24/7 surveillance and biometric access controls
  • Redundant power and cooling systems
  • Environmental controls and access monitoring

Subprocessor security

We only use subprocessors that meet our strict security standards. Each subprocessor undergoes due diligence and signs data processing agreements that comply with applicable privacy laws.

Our current subprocessors include:

  • AWS – Secure cloud hosting and data storage (ISO 27001, SOC 2)
  • Sentry – Error and performance monitoring
  • Mailgun – Secure transactional email delivery

Recommended user practices

  • Use strong, unique passwords for each user account
  • Enable two-factor authentication (2FA) where available
  • Rotate API keys regularly and remove unused keys
  • Delete users and webhooks no longer in use
  • Monitor your API usage for unexpected activity

Reporting vulnerabilities

We welcome responsible disclosure of security issues. If you discover a vulnerability or suspect a security issue, please email [email protected] with detailed information. We aim to respond to all reports within 48 hours.