Information Security

Last Update: December 13th, 2022

Data Security

Front End

  1. Passwords must be 8+ characters long, alphanumeric with multiple cases and a symbol; these are encrypted in the database; staff and tools cannot decrypt them
  2. The passage of page data is encrypted using SSL certificates (SHA-256 with RSA encryption)
  3. When pages use queries, these are protected against javascript injection using character checks, parameterization, and stored procedures
  4. Functions are used on data from query strings, form fields, and cookies to prevent access and exploitation

Back End

  1. Servers are not directly accessible outside of network; IP addresses are shared only on the server level – traffic is directed using host headers
  2. Servers are hosted by Dimension Data, who has their own security policies available here; data center audits include SOC1, ISO27001, ISO27018, and CSASTAR
  3. Database and server is isolated from outside world and access is limited to development and IT staff via secure VPN; high level access is limited it lead IT and database administrator 
  4. No credit card information is stored in servers, but instead stored on selected gateway who will have their own security and PCI compliance measures
  5. The portion of the system that passes credit card information to the gateway is isolated from other servers, has limited staff access, and has its own PCI compliance certification
  6. To date, we have not encountered a breach, but the protocol for such would be to identify the breach, check logs for access point and affected data, lock down avenue of access, roll back affected pages and data
  7. The server system is contained within multiple SOC 1, PCI DSS, and ISO certified cloud data centers, using the latest security infrastructure
  8. Server maintenance is run daily, including backups, logs, data cleanup, etc.; server updates and patches are performed monthly as needed
  9. Full system backups are performed daily with additional backups performed every 15 minutes; the latest backup data is stored in a geographically separate location and system from the main server data center with a different vendor; all data is stored within the continental United States
  10. In the case of a system failure, backup data could be used to restore the system within hours at most