This serves as an overview of ProudCity security protocol.
All ProudCity websites come standard with free Lets Encrypt SSL certificates. All website pages are served over HTTPS connections as recommended by the HTTPS-Only Standard directive issued by the White House in June 2015.
Only designated members of the ProudCity Engineering Team have direct access to the servers and databases. Access to the servers are restricted by IP address and private key files. Code, file and database backups are available upon request. See our service level agreement for more details.
The ProudCity platform runs on WordPress, an open source content management system that powers 26% of the Internet’s websites. WordPress has a dedicated security team of 25 people that is constantly monitoring WordPress core and contributed plugins to ensure their security. Learn more about security and WordPress.
ProudCity employs additional optimization and software hardening based on industry best-practices. In addition, we thoroughly examine every plugin that is added to the platform to ensure that all websites remain as secure as possible.
Most data is stored unencrypted in a MySQL database. User account details are stored with Auth0 (see “Access to site administration” below for details).
Updates to both the software and operating system are released to the platform every two weeks during our Tuesday releases. Serious vulnerabilities, such as a WordPress core security update or the recent Heartbleed SSL vulnerabilities are released immediately as a hotfix.
Backups are taken nightly and are stored for one week. Weekly Sunday backups are stored for five weeks. All backups are copied offsite to secure servers at Amazon AWS.
In the event of a catastrophic failure in the Google Cloud Platform infrastructure, we will immediately restore your website in another datacenter. For more details, see our SLA.
Monitoring and response time
ProudCity uses a third-party monitoring system to monitor each site on the platform every five minutes.
ProudCity technical support is online daily from 9 a.m. to 6 p.m. U.S. Pacific Time. During office hours, we will respond to an outage within five minutes. During off-hours, weekends and holidays, we will respond within 15 minutes. Typically, we can recover from any outage within minutes, and we guarantee to have the problem fixed within two hours, or we will credit 10% of your monthly fee. For more details, see our SLA.
Access to site administration
All user authentication and user detail storage is handled by Auth0. Auth0 has a dedicated team of engineers whose job it is to keep application credentials safe by proactively combating brute force attacks and providing a detailed login history. Auth0 offers two levels of brute force detection and mitigation, as well as breached password detection and notification. They also provide extra security (2-factor authentication), and integration with existing authenticators including LDAP and Google Apps for an additional cost. Learn more about account security with Auth0.
Security compliance certifications
PCI compliance: All websites are PCI compliant. All pages are served over https with Let’s Encrypt SSL certificates. No sensitive information (credit card details) is stored in the database. Personally Identifiable Information that may be stored in the database include administrator name and emails, as well as address and contact information collected in forms.
HIPPA compliance: The standard ProudCity is not HIPPA compliant, however special measures can be taken to achieve HIPPA compliance if necessary (additional cost).
FISMA compliance: The standard ProudCity is not FISMA compliant, however special measures can be taken to achieve FISMA compliance if necessary (additional cost).
ProudCity is partnering with GovReady, a startup funded by a grant from the U.S. Department of Homeland Security, to continually monitor every site for security vulnerabilities, including code, administrator access and backup verification. In addition, the GovReady Dashboard, included in every ProudCity website, includes domain renewal information, an IT contact matrix and manual measures that should be verified frequently to ensure a safe website.