Physical Servers

The platform runs on AWS infrastructure. Please click here to learn more about AWS cloud security, or click here to view all AWS compliance certifications.


All Celigo employees are required to pass a background check. In addition to this, employees in engineering, services, support, and operations (basically anyone with access to anything deemed security sensitive) are required to use LastPass, with multifactor authentication enabled, to store and generate all credentials used to perform job functions. Engineering employees with access to production systems are also required to undergo varying levels of security training at least annually. All Celigo employees are always only granted access to the minimal number of applications or systems needed to perform their job function.

Application is built using best of breed technology frameworks and secure software development practices. All bug fixes, enhancements, new features, etc. undergo a rigorous test and review process before any changes are pushed to the production environment. Production and testing environments are completely segregated from each other, and customer data is never used in QA or developer testing. Security related bugs are always assigned the highest priority, and a root cause analysis is performed for all major bugs that make it into production. Both vulnerability and penetration testing are performed at least annually. HackerOne is used to engage outside security researchers to expose vulnerabilities in the platform (for bounty). Access to the web app is protected by username/password (passwords are one-way hashed), and access to the API is protected by bearer tokens. Both web and API access require SSL.

Customer Data

All core application data is stored in a high availability MongoDB cluster, and full backups of this data are generated daily. The sensitive credential data that you store in (required to access the different applications and systems being integrated) is always encrypted via AES 256 before being persisted to the database, and is never viewable in plain text by anyone; and the encryption keys used to decrypt credential data are always kept physically separated from the encrypted data at rest (i.e. on different servers). For the external data that you are integrating (i.e. the data that belongs to the external applications and systems being integrated), a combination of the primary application database and also Amazon S3 (which is both secure and redundant) may be used for temporary persistence. This external data will never be persisted for more than 30 days, and is only persisted for the purpose of safeguarding the data while it is in transit, and also to facilitate error recovery and retry capabilities (where applicable) later from an authenticated page within the application. In addition to all of this, please see here for Celigo’s privacy policy regarding personal data.


SOC 2 Type 1

Found a vulnerability?

If you find a security vulnerability please email, and we will address the issue ASAP.