Gain uses SSL encryption throughout all services to protect the transmission of sensitive information.
User passwords in Gain are stored using the PBKDF2 algorithm with a SHA256 hash, individual, random salting and multiple hashing iterations (tens of thousands).
Gain provides a “magic login” functionality to approvers to allow them to log in with a special token sent in an email message, and thus, there is no need to enter a password. These tokens are short-lived and are one-time use to avoid account hijacking.
Access to Social Networks.
Connections to social networks (Facebook, Twitter, Instagram, and LinkedIn) are done using each network’s official authentication API and recommendations. These connections are done using Oauth2 or variants of it, which means Gain never sees a social account’s password. Instead, Gain receives a time-limited access token which end users can revoke at any time.
Other social media management tools advertise that they can post directly to Instagram. They do this by asking for and storing the Instagram account’s main password, then logging in as the user from a remote device. For security reasons, Gain will never do this. Read our rationale for this policy.
Gain typically archives an account’s data forever for the user’s own future reference. However, we can fully remove all data for an account and its users for now and the future upon request.
Billing in Gain is done using Stripe, which provides PCI-DSS compliance for payments. Credit card numbers are sent directly to Stripe. Gain never sees credit card information and never stores credit card numbers on its own servers.
Gain follows web security best practices and is constantly being tested against the latest vulnerabilities and attacks outlined in the OWASP Top Ten and others. All components of the application stack are constantly kept up to date with the latest security updates.