Security Overview
Introduction
At Boingo we believe that security is critical to our business success. Boingo is a PCI-DSS compliant organization and utilizes the NIST 800-53 framework to pursue security excellence. In addition, Boingo follows GDPR and CCPA guidelines and enables users to control the data stored on Boingo networks. Boingo develops and maintains a robust set of tools hosted in SOC 2 and ISO 27001 compliant Data Centers
Contents
Physical Security
System Security
Application Security
Incident Reporting and Ongoing Improvements
Attestations & Certifications
Boingo meets rigorous international standards for security in terms of confidentiality, integrity, and availability. The following attestations are available under NDA and upon request:
• PCI-DSS Level 2 Merchant Certification
Physical Security
Boingo production data is processed and stored in Amazon Web Services Cloud, Microsoft Azure Cloud as well as in Physical Equinix Data Centers which use state-of-the-art multilayer access, alerting, and auditing measures, including:
Physical
- – continuous external and internal security camera surveillance
- – 24×7 trained security guards
- – ManTrap Access to DataCenters
- – 24×7 trained security guards
- – Palm Readers with KeyCode Access to dedicated Cages
Cloud
- – MultiFactor Authentication
- – Segmented and Private Resource Allocation
- – AES-256 Data Encryption at Rest
System Security
Servers and Networking
Servers that run Boingo software in production are recent, continuously patched Linux systems. Exposed server endpoints are continuously tested for vulnerabilities using a variety of scanning systems as well as manual testing. Our web servers use the strongest grade of HTTPS security (TLS 1.2) so that requests are protected from eavesdroppers and man-in-the-middle attacks. Our SSL certificates are 2048 bit RSA, signed with SHA256.
Storage
All persistent data is encrypted at rest using the AES-256 standards or similarly high standards
Operational Security
Employee Equipment
Employee computers have strong passwords, encrypted disks, Antivirus Protection, and where applicable, inbound and outbound network traffic monitoring and alerting. Workstations are patched on a monthly basis and critical vulnerabilities are evaluated on a continuous basis.
Employee Access
We follow the principle of least privilege in how we write software as well as the level of access employees are instructed to utilize in diagnosing and resolving problems in our software and in response to customer support requests.
Access to administrative interfaces requires multi factor authentication and all administrative access is logged and auditable.
Service Levels, Backups, and Recovery
Boingo infrastructure utilizes multiple and layered techniques for increasingly reliable uptime, including the use of autoscaling, load balancing, task queues and rolling deployments. Boingo maintains daily backups of critical systems and differential backups for other systems, with bi-annual recovery testing as part of our Disaster Recovery and Business Continuity Plan.
Incident Reporting
If you have a security concern or are aware of an incident, please send an email to security@boingo.com.