Celigo integrator.io Security

Physical Servers

The Celigo integrator.io platform runs on AWS infrastructure. Please click here to learn more about AWS cloud security, or click here to view all AWS compliance certifications.


All Celigo employees are required to pass a background check. In addition to this, employees in engineering, services, support, and operations (basically anyone with access to anything deemed security sensitive) are required to use LastPass, with multifactor authentication enabled, to store and generate all credentials used to perform job functions. Engineering employees with access to production systems are also required to undergo varying levels of security training at least annually. All Celigo employees are always only granted access to the minimal number of applications or systems needed to perform their job function.


Celigo integrator.io is built using best of breed technology frameworks and secure software development practices. All bug fixes, enhancements, new features, etc. undergo a rigorous test and review process before any changes are pushed to the production environment. Production and testing environments are completely segregated from each other, and customer data is never used in QA or developer testing. Security related bugs are always assigned the highest priority, and a root cause analysis is performed for all major bugs that make it into production. Both vulnerability and penetration testing are performed at least annually. HackerOne is used to engage outside security researchers to expose vulnerabilities in the integrator.io platform (for bounty). Access to the integrator.io web app is protected by username/password (passwords are one-way hashed), and access to the API is protected by bearer tokens. Both web and API access require SSL.

Customer Data

All Celigo integrator.io core application data is stored in a high availability MongoDB cluster, and full backups of this data are generated daily. The sensitive credential data that you store in integrator.io (required to access the different applications and systems being integrated) is always encrypted via AES 256 before being persisted to the database, and is never viewable in plain text by anyone; and the encryption keys used to decrypt credential data are always kept physically separated from the encrypted data at rest (i.e. on different servers). For the external data that you are integrating (i.e. the data that belongs to the external applications and systems being integrated), a combination of the integrator.io primary application database and also Amazon S3 (which is both secure and redundant) may be used for temporary persistence. This external data will never be persisted for more than 30 days, and is only persisted for the purpose of safeguarding the data while it is in transit, and also to facilitate error recovery and retry capabilities (where applicable) later from an authenticated page within the integrator.io application. In addition to all of this, please see here for Celigo’s privacy policy regarding personal data.


Celigo takes compliance seriously, and as such, besides being CCPA and GDPR ready with a US Privacy Shield Certification, we have completed SOC 2 Type 2 audits in 2019, 2020, 2021,and 2022. We are also HIPAA Ready as a Business Associate for IO, and are able to sign a Business Associate Agreement (BAA).

As a customer or a prospect, you may request a copy of the SOC 2 report under Mutual NDA from [email protected].

Found a vulnerability?

If you find a security vulnerability please email [email protected], and we will address the issue ASAP.