At Insider, protecting your data is our top priority, especially during integration. Whether you're syncing users via API, embedding Insider’s SDKs, or setting up real-time triggers through webhooks, Insider ensures your data is handled securely, privately, and in full compliance with global data protection regulations. From the first API call to full platform activation, our process is designed to safeguard your systems, customers, and business.
Authentication and Access Control
Every Insider integration begins with authentication best practices in place. API access is secured using unique API keys, which are stored securely and never exposed in the frontend code. All requests are encrypted via HTTPS, and Insider infrastructure validates each request's origin and integrity.
For SDK integrations (web and mobile), Insider ensures secure session initialization through token-based mechanisms and strict domain validation. Only trusted environments can initiate and maintain sessions.
Refer to API Authentication Tokens to learn more about API token generation, usage, and security considerations.
Controlled Access and Session Security
All access to Insider’s panel and developer tools is governed by strict role-based permissions. You can limit which team members can view, edit, or publish specific integrations. Session timeouts and access logging provide additional safeguards.
Refer to Update Identifiers to learn how to update identifiers via the API and manage user identities securely.
Panel IP restriction
IP Restriction enables you to restrict the IP addresses that can access the Insider’s InOne panel. You can configure IP addresses to prevent or limit access to specific users or agents. IP restriction is available only for Enterprise Support accounts. Contact the Insider One team to enable this feature for your account.
Refer to Product Security to learn further.
IP Restrictions control which IP addresses can access APIs, providing flexibility and protection.
If you navigate to InOne Settings > Security tab on InOne, you will see the InOne Panel IP Allowlist. This setting only applies to panel access.
If you navigate to InOne Settings > Integration Settings > API Keys table, an API Key–specific IP Allowlist is available. Each API key-specific restriction applies to all Insider APIs, including:
For existing API Keys, IP restriction is not applied by default. A (*) symbol might indicate that all IPs have access. You can enable the restriction manually if you want to. If no restriction is set, all IP addresses remain authorized.
For new API Keys, IP restriction is applied by default. APIs do not accept requests until at least one IP address is added. When creating a new API Key, you must set an IP restriction. If no IP is provided, API requests return a warning indicating that an IP restriction is missing. You must enter at least one IP address, but you can also choose to remove the restriction completely and allow access from all IP addresses.
Subresource Integrity (SRI)
SRI enables you to add an integrity attribute to your Insider tag, a unique script generated for your account. This attribute contains an inline metadata. A user agent can use this metadata to verify that a fetched resource has been delivered without any unexpected manipulation. This feature provides an optional attribute that you can use to provide extra security for your account.
Once enabled and integrated, you must create a new version of your Insider tag each time you create a new campaign, make any changes on your panel, or generate your account. This new version must also be updated on your website.
Secure Webhook Delivery
When sending data from Insider to your systems via webhooks, payloads are secured through multiple mechanisms:
- Signed payloads for verification
- HTTPS enforcement
- IP whitelisting
These protections help ensure only trusted systems can receive and process Insider webhook data.
Refer to Webhooks to learn more about setting up Insider webhooks.
Data Encryption
Insider encrypts all data in transit using TLS and applies AES-256 encryption at rest for sensitive data. This applies across API interactions, SDK communication, webhook transmissions, and data platform pipelines. Our encryption practices follow current industry standards and are regularly reviewed and updated.
Refer to Ingest Product Information to learn how to send product data to Insider using the Catalog API securely.
DDoS mitigation
Insider uses Cloudflare and trusted DDoS mitigation providers to protect against Distributed Denial of Service (DDoS) attacks. Regular simulations are conducted in collaboration with third-party security experts to ensure that systems remain resilient under high-traffic attack scenarios.
Access Logs
Insider has implemented a comprehensive activity monitoring system for the InOne panel, which maintains logs at all account levels for user account sign-in/sign-out, user creation, user permission settings, password changes, and the creation, deletion, updating, starting, and/or pausing of personalization campaigns.
Contact the Insider One team to request access to their detailed Insider log history, including all content changes related to their personalization campaigns.
Infrastructure-level Protection
Insider follows a defense-in-depth approach to secure its infrastructure at every layer. Our systems are protected by layered firewall rules, intrusion detection and prevention mechanisms, and regular vulnerability scanning. We perform continuous infrastructure monitoring and anomaly detection to identify and proactively mitigate potential threats.
All Insider services and customer data are hosted on Amazon Web Services (AWS), a leading cloud infrastructure provider trusted by the world’s most security-conscious organizations. AWS delivers robust physical security, network segmentation, and compliance with international standards, including ISO 27001, SOC 2, and GDPR.
Our engineering and security teams regularly audit system configurations and apply updates to maintain a strong security posture. Infrastructure changes are managed through Infrastructure as Code (IaC), enabling consistent deployment, versioning, and automated security validation across environments.
This layered, automated, and audited infrastructure ensures that Insider’s platform remains resilient, secure, and scalable in line with customer needs.
Data Segregation
Insider provides each customer with a unique code snippet (JavaScript client), which separates the customer’s data from that of other customers. On the database layer, Insider uses segregated databases for each customer and applies industry-standard security controls to safeguard stored information.
Each customer is provided with a unique JavaScript code snippet (client-side), ensuring that data collected on their properties remains distinct and separate from that of other customers.
Customer data is only used to deliver services to that specific customer and may only be accessed for support purposes. Insider does not share or sell customer data to third parties. Data handling practices are governed by the Service Agreement and Data Protection Agreement (DPA).
Disaster Recovery and Failover
Insider is designed with robust disaster recovery (DR) measures to ensure service continuity. We rely on Amazon Web Services (AWS), a leading cloud service provider, to support a resilient infrastructure. All critical systems and data are distributed across three AWS availability zones to maintain high availability and minimize the risk of service interruption.
To further enhance resilience, Insider has implemented an active-passive disaster recovery solution based on AWS infrastructure. In the event of a significant outage, our systems can be quickly redeployed in a different AWS region using Infrastructure as Code (IaC), simplifying the recovery process and leveraging AWS’s global reach and reliability.
We replicate sensitive data across multiple data centers and maintain strict backup routines daily, weekly, and monthly for general data, and hourly for highly sensitive data.
With headquarters in Singapore and multiple regional offices, Insider ensures localized support and business continuity for all customers in the event of a disaster.