General security policies

SSL Everywhere

Gain uses SSL encryption throughout all services to protect the transmission of sensitive information.

Password Security

User passwords in Gain are stored using the PBKDF2 algorithm with a SHA256 hash, individual, random salting, and multiple hashing iterations (tens of thousands).

Magic Login

Gain provides a “magic login” functionality to approvers to allow them to log in with a unique token sent in an email message, and thus, there is no need to enter a password. These tokens are short-lived and are one-time use to avoid account hijacking.

Access to Social Networks

Gain makes connections to social networks (Facebook, Twitter, Instagram, and LinkedIn) using each network’s official authentication API and recommendations. Connections use Oauth2 or variants of it, which means Gain never sees a social account’s password. Instead, Gain receives a time-limited access token, which end-users can revoke at any time.

Instagram Publishing

Other social media management tools advertise that they can post directly to Instagram. They do this by asking for and storing the Instagram account’s primary password, then logging in as the user from a remote device. For security reasons, Gain will never do this. Read our rationale for this policy.

User/Account Data 

Gain typically archives an account’s data forever for the user’s future reference. However, we can thoroughly remove all data for an account and its users for now and the future upon request. 

Billing 

Gain uses Stripe for billing, which provides PCI-DSS compliance for payments. Credit card numbers are sent directly to Stripe. Gain never sees credit card information and never stores credit card numbers on its servers.

Application Vulnerabilities 

Gain follows web security best practices, and we’re continually testing against the latest vulnerabilities and attacks outlined in the OWASP Top Ten and others. We keep all components of the application stack up to date with the latest security updates.