At Gateway APIs, security is foundational to everything we build. Our infrastructure, processes, and partnerships are designed to protect your data and maintain the reliability of our platform at every level.
API keys are securely generated and managed through our platform. We enforce scoped access, rate limiting, and rotation features to reduce exposure and enable fine-grained control.
Passwords are hashed using bcrypt and never stored in plain text. We enforce strong password creation standards and offer login alerts and audit logs for additional account protection.
Role-based permissions allow account owners to control access to usage logs, keys, webhooks, and organisational settings. This ensures sensitive API configurations remain protected.
We support 2FA via authenticator apps, providing an extra layer of protection against credential theft and unauthorised account access.
All services are hosted on AWS, with environments segmented for production, staging, and development. Access to production systems is strictly limited and monitored.
All data is encrypted in transit using TLS 1.2+ and at rest using AES-256 encryption standards.
Regular automated backups are maintained across multiple availability zones. We test disaster recovery procedures periodically to ensure service continuity.
Real-time monitoring and alerting are in place to detect anomalies, API abuse, and unauthorised access. We log and analyse all access patterns across our services.
We conduct regular internal security reviews, dependency audits, and external penetration testing to identify and address vulnerabilities proactively.
Gateway APIs works with DarkShield to perform routine security assessments and penetration testing of our infrastructure and platform endpoints.
All team members receive annual security awareness training and operate under signed confidentiality agreements. Access to production systems is limited to trained personnel.
We have a defined incident response protocol that includes:
If you suspect a security incident or vulnerability, please contact our security team immediately at [email protected].
All data is stored in AWS data centres with industry-grade physical security including:
We only use subprocessors that meet our strict security standards. Each subprocessor undergoes due diligence and signs data processing agreements that comply with applicable privacy laws.
Our current subprocessors include:
We welcome responsible disclosure of security issues. If you discover a vulnerability or suspect a security issue, please email [email protected] with detailed information. We aim to respond to all reports within 48 hours.