Security Overview

Introduction

At Boingo we believe that security is critical to our business success. Boingo is a PCI-DSS compliant organization and utilizes the NIST 800-53 framework to pursue security excellence. In addition, Boingo follows GDPR and CCPA guidelines and enables users to control the data stored on Boingo networks. Boingo develops and maintains a robust set of tools hosted in SOC 2 and ISO 27001 compliant Data Centers

Attestations & Certifications
Physical Security
System Security
Application Security
Incident Reporting and Ongoing Improvements

Attestations & Certifications

Boingo meets rigorous international standards for security in terms of confidentiality, integrity, and availability. The following attestations are available under NDA and upon request:

• PCI-DSS Level 2 Merchant Certification

Physical Security

Boingo production data is processed and stored in Amazon Web Services Cloud, Microsoft Azure Cloud as well as in Physical Equinix Data Centers which use state-of-the-art multilayer access, alerting, and auditing measures, including:

Physical

– continuous external and internal security camera surveillance
– 24×7 trained security guards
– ManTrap Access to DataCenters
– 24×7 trained security guards
– Palm Readers with KeyCode Access to dedicated Cages

Cloud

– MultiFactor Authentication
– Segmented and Private Resource Allocation
– AES-256 Data Encryption at Rest

System Security

Servers and Networking

Servers that run Boingo software in production are recent, continuously patched Linux systems. Exposed server endpoints are continuously tested for vulnerabilities using a variety of scanning systems as well as manual testing. Our web servers use the strongest grade of HTTPS security (TLS 1.2) so that requests are protected from eavesdroppers and man-in-the-middle attacks. Our SSL certificates are 2048 bit RSA, signed with SHA256.

Storage

All persistent data is encrypted at rest using the AES-256 standards or similarly high standards

Operational Security

Employee Equipment

Employee computers have strong passwords, encrypted disks, Antivirus Protection, and where applicable, inbound and outbound network traffic monitoring and alerting. Workstations are patched on a monthly basis and critical vulnerabilities are evaluated on a continuous basis.

Employee Access

We follow the principle of least privilege in how we write software as well as the level of access employees are instructed to utilize in diagnosing and resolving problems in our software and in response to customer support requests.

Access to administrative interfaces requires multi factor authentication and all administrative access is logged and auditable.

Service Levels, Backups, and Recovery

Boingo infrastructure utilizes multiple and layered techniques for increasingly reliable uptime, including the use of autoscaling, load balancing, task queues and rolling deployments. Boingo maintains daily backups of critical systems and differential backups for other systems, with bi-annual recovery testing as part of our Disaster Recovery and Business Continuity Plan.

Incident Reporting

If you have a security concern or are aware of an incident, please send an email to security@boingo.com.