Introduction - Taking Pride In Your Safety
Wix.com Ltd is a leading cloud-based web development platform with millions of users worldwide. We place security as one of our highest priorities & we strive to implement the highest level security processes and practices across all business units. To help ensure we attain this goal of protecting our users’ personal data, we have invested a great deal of effort in making sure our platform is safe and secure.
This document details an overview of our information security policies for the secure and acceptable use of our network, infrastructure and operational services.
This whitepaper presents Wix.com Ltd's approach to security and compliance.
Our compliance certifications, attestations, and frameworks
Compliance and Certifications -
Keeping Your Data Safe
Here are our certifications for your brand protection:
The PCI DSS is the highest information security standard for organizations that accept credit card payments. This standard provides protection of the privacy and confidentiality of the card's data used to complete the online transaction.
Wix.com Ltd is audited annually and certified as ISO 27001 compliant. The ISO 27001 certification outlines industry best practices for managing security risks.
Wix.com Ltd has been audited and certified as ISO 27018 compliant. The ISO 27018 certification outlines industry best practices for handling personally Identifiable Information (PII) in a public cloud-computing environment.
The GDPR is the European Union's framework for privacy laws, which came into force on May 25th, 2018. The GDPR protects individuals' rights when it comes to their personal data and what companies can do with it.
We are continuously working with a team of experts and have implemented the required adjustments to our products, services, and documentation, to ensure compliance with the GDPR. This empowers Wix customers to get more control over their personal data and gain the tools necessary to protect the information of visitors to Wix sites.
The California Consumer Privacy Act (CCPA) is a state-wide data privacy law that regulates how businesses all over the world are allowed to handle the personal information (PI) of California residents.
The state statute intended to enhance privacy rights and consumer protection by providing them with special rights, which includes (but are not limited to) the "right to access", "right to deletion" and the "right to opt-out from a sale of personal information".
Similar to GDPR, we have worked with a team of experts and have implemented the required adjustments to our products, services, and documentation, to ensure compliance with the CCPA.
Multi-Layered Security -
Providing the Best For You
At Wix.com Ltd, we use multi-layered controls to help protect our infrastructure, constantly monitoring and improving our applications, systems, and processes to meet the growing demands and challenges of security.
Application Level Security
Every new feature released to Wix.com Ltd web creation platform undergoes a security review under great scrutiny, using STRIDE as our threat model method. As part of our software development methodology, we test each feature to make sure it upholds strict security standards and is not vulnerable to abuse.
We employ our own dedicated security research team to test the security posture of our platform on a regular basis. External PT, by external security experts, is conducted on a daily basis. All PT findings are reported to our R&D teams and are mitigated promptly.
Our development team follows OWASP secure coding practices.
Wix.com Ltd uses well proven encryption algorithms and protocols to secure data in transit or data at rest.
Bug Bounty Program - Try and Hack Us to Make Us Better
At Wix.com Ltd we invite freelance security experts to join our active HackerOne account to try to hack our system so we can constantly improve and strengthen our system. Our bounty program covers security vulnerabilities with a dynamic scope over variant domains such as:
SQL injection vulnerability
You can visit our HackerOne account here.
High-End Physical Security
Our production environment complies with the highest industry standards for physical, environmental & hosting controls.
Wix is hosted by cloud based DC providers: AWS and Google Cloud Platform. Equinix provides all physical colocation services. These infrastructure providers maintain industry-standard security certifications, including:
PCI DSS Level 1
Network Security - Extra Layers of Protection
All new sites created on Wix.com Ltd have HTTPS automatically enabled as part of the basic services Wix.com Ltd provides. All critical interfaces and functions, i.e. user authentication, payment transactions (PCI data) and PII related processes are only accessible using the latest version of TLS. Wix.com Ltd officially supports TLS with 1.2 as a minimum version.
Wix.com Ltd's SOC 24/7/365 monitoring program is focused on information gathered from internal network traffic, employee actions on systems and outside knowledge of vulnerabilities. Analysis is performed using a combination of open-source and commercial tools for traffic capture and parsing. Automated network analysis helps determine when an unknown threat may exist and escalates to Wix.com Ltd security staff, and network analysis is supplemented by automated analysis of system logs.
Due to the dynamic nature of Wix.com Ltd external surface, all of Wix.com Ltd Cloud and public interfaces are automatically scanned twice a day for vulnerabilities and misconfigurations.
Your security, privacy and confidentiality are our top priority. That’s why Wix.com Ltd conducts a vetting process that includes assessment of the security practices for third-party vendors to validate it meets our security standards. Once we’ve assessed the risks, the supplier is required to enter into appropriate security, confidentiality, and privacy contract terms. When the vendor is approved, our security team will conduct an annual review if needed, to ensure its compliance with our standards.
Fraud Risk Management
Fraud risk management is part of the company's core activities which receives dedicated professional attention as part of our business model.
The activity on both the merchant level and transactional level are exposed to fraudulent activity of various types such as online payment fraud and the creation of fake accounts.
A transaction that is not authorized by a customer is referred to as fraudulent. A fraudulent transaction can result in a chargeback, which can cause merchants to lose money.
Wix.com Ltd fraud risk management process starts from the early prevention phase to the operational cost reduction phase on both the merchant level and the transactions level.
Wix.com Ltd’s Security and Privacy Culture - Privacy by Design
Employee Awareness and Training
All Wix.com Ltd employees undergo security training as part of the orientation process. During orientation, new employees agree to our Code of Conduct, which highlights our commitment to keep customer information safe and secure. Depending on their job role, additional training on specific aspects of security may be required. For instance, the information security team instructs new engineers on topics like secure coding practices, product design and automated vulnerability testing tools and more.
The security team communicates with all employees on a regular basis, covering topics such as emerging threats, phishing awareness campaigns, and other industry-related security topics.
Our dedicated security team
Wix.com Ltd employs security and privacy professionals who are experts in information, application and network security. The team is tasked with maintaining the company’s defense systems, developing security review processes, building security infrastructure, and implementing the company security policies.
Our dedicated security team actively scans for security threats, performs penetration tests, conducts quality assurance (QA) measures and software security reviews.
Within Wix.com Ltd, members of the information security team review security plans for networks, systems and services. They provide project-specific consulting services to Wix.com Ltd's product and engineering teams. They monitor for suspicious activity on Wix.com Ltd's networks, address information security threats, perform routine security evaluations and audits, while engaging outside experts to conduct security assessments
If you have any additional questions regarding security at Wix.com Ltd,
please contact us at:
If you’re interested in a custom solution for your brand,
learn more about Wix for Enterprise here.
Wix.com Ltd powers over 200+ million users and companies with our highest priority being your security, privacy and confidentiality.