Feel Safe with Enterprise Grade Security
Learn how Wix.com Ltd protects your data in our security whitepaper.
Introduction - Taking Pride In Your Safety
Wix.com Ltd is a leading cloud-based web development platform with millions of users worldwide. We place security as one of our highest priorities & we strive to implement the highest level security processes and practices across all business units. To help ensure we attain this goal of protecting our users’ personal data, we have invested a great deal of effort in making sure our platform is safe and secure.
This document details an overview of our information security policies for the secure and acceptable use of our network, infrastructure and operational services.
This whitepaper presents Wix.com Ltd's approach to security and compliance.
Compliance and Certifications -
Your Data is Safe With Us





PCI Level 1 Merchant & Service Provider
The PCI DSS is the highest information security standard for organizations that accept credit card payments. This standard provides protection of the privacy and confidentiality of the card's data used to complete the online transaction.
ISO 27001
Wix.com Ltd is audited annually and certified as ISO 27001 compliant. The ISO 27001 certification outlines industry best practices for managing security risks.
ISO 27018
Wix.com Ltd has been audited and certified as ISO 27018 compliant. The ISO 27018 certification outlines industry best practices for handling personally Identifiable Information (PII) in a public cloud-computing environment.
GDPR
The GDPR is the European Union's framework for privacy laws, which came into force on May 25th, 2018. The GDPR protects individuals' rights when it comes to their personal data and what companies can do with it.
We are continuously working with a team of experts and have implemented the required adjustments to our products, services, and documentation, to ensure compliance with the GDPR. This empowers Wix customers to get more control over their personal data and gain the tools necessary to protect the information of visitors to Wix sites.
For more information about how Wix.com Ltd processes user data and how to exercise rights in relation to personal information, please visit Wix.com Ltd privacy policy.
CCPA
The California Consumer Privacy Act (CCPA) is a state-wide data privacy law that regulates how businesses all over the world are allowed to handle the personal information (PI) of California residents.
The state statute intended to enhance privacy rights and consumer protection by providing them with special rights, which includes (but are not limited to) the "right to access", "right to deletion" and the "right to opt-out from a sale of personal information".
Similar to GDPR, we have worked with a team of experts and have implemented the required adjustments to our products, services, and documentation, to ensure compliance with the CCPA.
Multi-Layered Security -
Providing the Best For You
At Wix.com Ltd, we use multi-layered controls to help protect our infrastructure, constantly monitoring and improving our applications, systems, and processes to meet the growing demands and challenges of security.
Application Level Security
Threat Modeling
Every new feature released to Wix.com Ltd web creation platform undergoes a security review under great scrutiny, using STRIDE as our threat model method. As part of our software development methodology, we test each feature to make sure it upholds strict security standards and is not vulnerable to abuse.
Penetration Tests
We employ our own dedicated security research team to test the security posture of our platform on a regular basis. External PT, by external security experts, is conducted on a daily basis. All PT findings are reported to our R&D teams and are mitigated promptly.
OWASP
Our development team follows OWASP secure coding practices.
Encryption
Wix.com Ltd uses well proven encryption algorithms and protocols to secure data in transit or data at rest.
Bug Bounty Program - Try and Hack Us to Make Us Better
At Wix.com Ltd we invite freelance security experts to join our active HackerOne account to try to hack our system so we can constantly improve and strengthen our system. Our bounty program covers security vulnerabilities with a dynamic scope over variant domains such as:
-
XSS attack
-
CSRF attack
-
SQL injection vulnerability
-
DNS hijacking
-
Session vulnerability
-
Unsecured API
-
Authentication spoofing
You can visit our HackerOne account here.
High-End Physical Security
Our production environment complies with the highest industry standards for physical, environmental & hosting controls.
Wix is hosted by cloud based DC providers: AWS and Google Cloud Platform. Equinix provides all physical colocation services. These infrastructure providers maintain industry-standard security certifications, including:
-
ISO 27001
-
ISO 27017
-
ISO 27018
-
SOC 1
-
SOC 2
-
SOC 3
-
PCI DSS Level 1
To learn more about our providers security controls, you can visit their websites: AWS, GCP, Equinix.
Network Security - Extra Layers of Protection
-
TLS 1.2
All new sites created on Wix.com Ltd have HTTPS automatically enabled as part of the basic services Wix.com Ltd provides. All critical interfaces and functions, i.e. user authentication, payment transactions (PCI data) and PII related processes are only accessible using the latest version of TLS. Wix.com Ltd officially supports TLS with 1.2 as a minimum version.
-
Monitoring
Wix.com Ltd's SOC 24/7/365 monitoring program is focused on information gathered from internal network traffic, employee actions on systems and outside knowledge of vulnerabilities. Analysis is performed using a combination of open-source and commercial tools for traffic capture and parsing. Automated network analysis helps determine when an unknown threat may exist and escalates to Wix.com Ltd security staff, and network analysis is supplemented by automated analysis of system logs.
-
Vulnerability Scans
Due to the dynamic nature of Wix.com Ltd external surface, all of Wix.com Ltd Cloud and public interfaces are automatically scanned twice a day for vulnerabilities and misconfigurations.
Third-Party Suppliers
Your security, privacy and confidentiality are our top priority. That’s why Wix.com Ltd conducts a vetting process that includes assessment of the security practices for third-party vendors to validate it meets our security standards. Once we’ve assessed the risks, the supplier is required to enter into appropriate security, confidentiality, and privacy contract terms. When the vendor is approved, our security team will conduct an annual review if needed, to ensure its compliance with our standards.
Fraud Risk Management
Fraud risk management is part of the company's core activities which receives dedicated professional attention as part of our business model.
The activity on both the merchant level and transactional level are exposed to fraudulent activity of various types such as online payment fraud and the creation of fake accounts.
A transaction that is not authorized by a customer is referred to as fraudulent. A fraudulent transaction can result in a chargeback, which can cause merchants to lose money.
Wix.com Ltd fraud risk management process starts from the early prevention phase to the operational cost reduction phase on both the merchant level and the transactions level.
Wix.com Ltd’s Security and Privacy Culture - Privacy by Design
Employee Awareness and Training
All Wix.com Ltd employees undergo security training as part of the orientation process. During orientation, new employees agree to our Code of Conduct, which highlights our commitment to keep customer information safe and secure. Depending on their job role, additional training on specific aspects of security may be required. For instance, the information security team instructs new engineers on topics like secure coding practices, product design and automated vulnerability testing tools and more.
The security team communicates with all employees on a regular basis, covering topics such as emerging threats, phishing awareness campaigns, and other industry-related security topics.
Our dedicated security team
Wix.com Ltd employs security and privacy professionals who are experts in information, application and network security. The team is tasked with maintaining the company’s defense systems, developing security review processes, building security infrastructure, and implementing the company security policies.
Our dedicated security team actively scans for security threats, performs penetration tests, conducts quality assurance (QA) measures and software security reviews.
Within Wix.com Ltd, members of the information security team review security plans for networks, systems and services. They provide project-specific consulting services to Wix.com Ltd's product and engineering teams. They monitor for suspicious activity on Wix.com Ltd's networks, address information security threats, perform routine security evaluations and audits, while engaging outside experts to conduct security assessments
If you have any additional questions regarding security at Wix.com Ltd,
please contact us at: security-report@Wix.com
If you’re interested in a custom solution for your brand,
learn more about Wix for Enterprise here.
Wix.com Ltd powers over 200+ million users and companies with our highest priority being your security, privacy and confidentiality.