1. Security Controls

In order to protect the data that is entrusted to us, we utilises layers of administrative, technical, and physical security controls throughout our organisation.

Infrastructure Security

2. Cloud Hosting Provider

   We do not host any product systems or data within its physical offices. Our product infrastructure is outsourced to leading cloud infrastructure providers such as Google Cloud Platform Services and Amazon Web Services.
   

   Our product infrastructure resides in the United States. We place reliance on Google’s and AWS’s audited security and compliance programs for the efficiency of their physical, environmental, and infrastructure security controls.

   
   Google provides a monthly uptime percentage to customers of at least 99.5%. You can find more information about the controls, processes, and compliance measures implemented by Google on their publicly available Compliance Resource Center.

   
   AWS guarantees between 99.95% and 100% service reliability, ensuring redundancy to all power, network, and HVAC services. The business continuity and disaster recovery plans for the AWS services have been independently validated as part of their SOC 2 Type 2 report and ISO 27001 certification. AWS’s compliance documentation and audit reports are publicly available at the AWS Cloud Compliance Page and the AWS Artifacts Portal.
   

3. Network and Perimeter

   The product infrastructure enforces multiple layers of filtering and inspection on all connections across our web application, logical firewalls, and security groups. Network-level access control lists are implemented to prevent unauthorised access to our internal product infrastructure and resources.

   
   By default, firewalls are configured to deny network connections that are not explicitly authorised. Changes to our network and perimeter systems are controlled by standard change control processes. Firewall rulesets are reviewed periodically to help ensure that only necessary connections are configured.
   

   Application Security
   

4. Web Application Defences

   All customer content hosted on the platform is protected by firewall and application security. The monitoring tools actively monitor the application layer and can alert on malicious behaviour based on behaviour type and session rate. The rules used to detect and block malicious traffic are aligned to the best practice guidelines documented by the Open Web Application Security Project (OWASP), specifically the OWASP Top 10 and similar recommendations. Protections from Distributed Denial of Service (DDoS) attacks are also incorporated, helping to ensure customers’ web sites and are continuously available.
   

   Customer Data Protection
   

5. Data Classification

   Our customers are responsible for ensuring they only capture appropriate information to support their marketing, sales, services, content management, and operations processes. The product should not be used to collect or store sensitive information, such as credit or debit card numbers, financial account information, Social Security numbers, passport numbers, financial or health information except as otherwise permitted.
   

6. Tenant Separation

   We provides a multi-tenant SaaS solution where customer data is logically separated using unique IDs to associate data and objects to specific customers. Authorisation rules are incorporated into the design architecture and validated on a continuous basis. Additionally, we log application authentication and associated changes, application availability, and user access and changes are logged.
   

7. Encryption

   All data is encrypted in transit with TLS version 1.2, or 1.3 and 2,048 bit keys or better. Transport layer security (TLS) is also a default for customers who host their websites within our platform.

   We leverage several technologies to ensure stored data is encrypted at rest. Platform data is stored using AES-256 encryption. User passwords are hashed following industry best practices, and are encrypted at rest.
   

8. Key Management

   Encryption keys for both in transit and at rest encryption are securely managed by the platform. TLS private keys for in transit encryption are managed through our content delivery partner. Volume and field level encryption keys for at rest encryption are stored in a hardened Key Management System (KMS). Keys are rotated at varying frequencies, depending upon the sensitivity of the data they govern. In general, TLS certificates are renewed annually. We are unable to use customer supplied encryption keys at this time.
   

   Compliance
   

9. Sensitive Data Processing and Storing
   

   Please note that, while our customers may pay for services by credit card, we do not store, process, or collect credit card information submitted to us by customers, and we are not PCI-DSS compliant. We leverage PCI-compliant payment card processors to ensure that our payment transactions are handled securely.

   Privacy

   We do not sell your personal data to third parties. The protections described in this document and other protections that we have implemented are designed to ensure that your data stays private and unaltered.
   

10. Data Retention and Data Deletion

    Customer data is retained for as long as you remain an active customer. Current and former customers can make written requests to have certain data deleted, and we will fulfil those requests as required by privacy rules and regulations. We retains certain data like logs and related metadata in order to address security, compliance, or statutory needs. We do not currently provide customers with the ability to define custom data retention policies.