Feel Safe with Enterprise Grade Security

Learn how Wix.com Ltd protects your data in our security whitepaper.

 

Introduction - Taking Pride In Your Safety

 

Wix.com Ltd is a leading cloud-based web development platform with millions of users worldwide. We place security as one of our highest priorities & we strive to implement the highest level security processes and practices across all business units. To help ensure we attain this goal of protecting our users’ personal data, we have invested a great deal of effort in making sure our platform is safe and secure.

This document details an overview of our information security policies for the secure and acceptable use of our network, infrastructure and operational services.

This whitepaper presents Wix.com Ltd's approach to security and compliance.

Our compliance certifications, attestations, and frameworks

 

Compliance and Certifications -
Keeping Your Data Safe

Here are our certifications for your brand protection:

PCI Level 1 Merchant & Service Provider

The PCI DSS is the highest information security standard for organizations that accept credit card payments. This standard provides protection of the privacy and confidentiality of the card's data used to complete the online transaction.

ISO 27001

Wix.com Ltd is audited annually and certified as ISO 27001 compliant. The ISO 27001 certification outlines industry best practices for managing security risks.

ISO 27018

Wix.com Ltd has been audited and certified as ISO 27018 compliant. The ISO 27018 certification outlines industry best practices for handling personally Identifiable Information (PII) in a public cloud-computing environment.

GDPR

The GDPR is the European Union's framework for privacy laws, which came into force on May 25th, 2018. The GDPR protects individuals' rights when it comes to their personal data and what companies can do with it.

We are continuously working with a team of experts and have implemented the required adjustments to our products, services, and documentation, to ensure compliance with the GDPR. This empowers Wix customers to get more control over their personal data and gain the tools necessary to protect the information of visitors to Wix sites.

For more information about how Wix.com Ltd processes user data and how to exercise rights in relation to personal information, please visit Wix.com Ltd privacy policy.

CCPA

The California Consumer Privacy Act (CCPA) is a state-wide data privacy law that regulates how businesses all over the world are allowed to handle the personal information (PI) of California residents.

The state statute intended to enhance privacy rights and consumer protection by providing them with special rights, which includes (but are not limited to) the "right to access", "right to deletion" and the "right to opt-out from a sale of personal information".

Similar to GDPR, we have worked with a team of experts and have implemented the required adjustments to our products, services, and documentation, to ensure compliance with the CCPA.

 

Multi-Layered Security -
Providing the Best For You

 

At Wix.com Ltd, we use multi-layered controls to help protect our infrastructure, constantly monitoring and improving our applications, systems, and processes to meet the growing demands and challenges of security.

Application Level Security
 

Threat Modeling

Every new feature released to Wix.com Ltd web creation platform undergoes a security review under great scrutiny, using STRIDE as our threat model method. As part of our software development methodology, we test each feature to make sure it upholds strict security standards and is not vulnerable to abuse.

Penetration Tests

We employ our own dedicated security research team to test the security posture of our platform on a regular basis. External PT, by external security experts, is conducted on a daily basis. All PT findings are reported to our R&D teams and are mitigated promptly.

OWASP 

Our development team follows OWASP secure coding practices.

Encryption

Wix.com Ltd uses well proven encryption algorithms and protocols to secure data in transit or data at rest.

Bug Bounty Program - Try and Hack Us to Make Us Better

At Wix.com Ltd we invite freelance security experts to join our active HackerOne account to try to hack our system so we can constantly improve and strengthen our system. Our bounty program covers security vulnerabilities with a dynamic scope over variant domains such as:

  • XSS attack

  • CSRF attack 

  • SQL injection vulnerability 

  • DNS hijacking

  • Session vulnerability 

  • Unsecured API 

  • Authentication spoofing
     

You can visit our HackerOne account here.



 

High-End Physical Security

Our production environment complies with the highest industry standards for physical, environmental & hosting controls. 

Wix is hosted by cloud based DC providers: AWS and Google Cloud Platform. Equinix provides all physical colocation services. These infrastructure providers maintain industry-standard security certifications, including:

  • ISO 27001 

  • ISO 27017 

  • ISO 27018 

  • SOC 1

  • SOC 2

  • SOC 3 

  • PCI DSS Level 1


To learn more about our providers security controls, you can visit their websites: AWS, GCP, Equinix.

Network Security - Extra Layers of Protection

  • TLS 1.2

All new sites created on Wix.com Ltd have HTTPS automatically enabled as part of the basic services Wix.com Ltd provides. All critical interfaces and functions, i.e. user authentication, payment transactions (PCI data) and PII related processes are only accessible using the latest version of TLS. Wix.com Ltd officially supports TLS with 1.2 as a minimum version.

  • Monitoring

Wix.com Ltd's SOC 24/7/365 monitoring program is focused on information gathered from internal network traffic, employee actions on systems and outside knowledge of vulnerabilities. Analysis is performed using a combination of open-source and commercial tools for traffic capture and parsing. Automated network analysis helps determine when an unknown threat may exist and escalates to Wix.com Ltd security staff, and network analysis is supplemented by automated analysis of system logs.

  • Vulnerability Scans

Due to the dynamic nature of Wix.com Ltd external surface, all of Wix.com Ltd Cloud and public interfaces are automatically scanned twice a day for vulnerabilities and misconfigurations.

 

Third-Party Suppliers

 

Your security, privacy and confidentiality are our top priority. That’s why Wix.com Ltd conducts a vetting process that includes assessment of the security practices for third-party vendors to validate it meets our security standards. Once we’ve assessed the risks, the supplier is required to enter into appropriate security, confidentiality, and privacy contract terms. When the vendor is approved, our security team will conduct an annual review if needed, to ensure its compliance with our standards.

 

Fraud Risk Management

 

Fraud risk management is part of the company's core activities which receives dedicated professional attention as part of our business model.

The activity on both the merchant level and transactional level are exposed to fraudulent activity of various types such as online payment fraud and the creation of fake accounts.
A transaction that is not authorized by a customer is referred to as fraudulent. A fraudulent transaction can result in a chargeback, which can cause merchants to lose money. 

Wix.com Ltd fraud risk management process starts from the early prevention phase to the operational cost reduction phase on both the merchant level and the transactions level.

 

Wix.com Ltd’s Security and Privacy Culture -  Privacy by Design

Employee Awareness and Training

All Wix.com Ltd employees undergo security training as part of the orientation process. During orientation, new employees agree to our Code of Conduct, which highlights our commitment to keep customer information safe and secure. Depending on their job role, additional training on specific aspects of security may be required. For instance, the information security team instructs new engineers on topics like secure coding practices, product design and automated vulnerability testing tools and more.

The security team communicates with all employees on a regular basis, covering topics such as emerging threats, phishing awareness campaigns, and other industry-related security topics.

Our dedicated security team

Wix.com Ltd employs security and privacy professionals who are experts in information, application and network security. The team is tasked with maintaining the company’s defense systems, developing security review processes, building security infrastructure, and implementing the company security policies. 

Our dedicated security team actively scans for security threats, performs penetration tests, conducts quality assurance (QA) measures and software security reviews.

Within Wix.com Ltd, members of the information security team review security plans for networks, systems and services. They provide project-specific consulting services to Wix.com Ltd's product and engineering teams. They monitor for suspicious activity on Wix.com Ltd's networks, address information security threats, perform routine security evaluations and audits, while engaging outside experts to conduct security assessments

If you have any additional questions regarding security at Wix.com Ltd,
please contact us at: security-report@Wix.com

If you’re interested in a custom solution for your brand,
learn more about Wix for Enterprise here.

Wix.com Ltd powers over 200+ million users and companies with our highest priority being your security, privacy and confidentiality.