Security

Security 2017-05-22T21:13:37+00:00

This serves as an overview of ProudCity security protocol.

HTTPS Everywhere

All ProudCity websites come standard with free Lets Encrypt SSL certificates. All website pages are served over HTTPS connections as recommended by the HTTPS-Only Standard directive issued by the White House in June 2015.

Servers

ProudCity platform sites are hosted on the Google Could Platform in a Kubernetes cluster consisting of individual Ubuntu Linux Docker images for each site.

Only designated members of the ProudCity Engineering Team have direct access to the servers and databases. Access to the servers are restricted by IP address and private key files. Code, file and database backups are available upon request. See our service level agreement for more details.

Software

The ProudCity platform runs on WordPress, an open source content management system that powers 26% of the Internet’s websites. WordPress has a dedicated security team of 25 people that is constantly monitoring WordPress core and contributed plugins to ensure their security. Learn more about security and WordPress.

ProudCity employs additional optimization and software hardening based on industry best-practices. In addition, we thoroughly examine every plugin that is added to the platform to ensure that all websites remain as secure as possible.

Data storage

Most data is stored unencrypted in a MySQL database. User account details are stored with Auth0 (see “Access to site administration” below for details).

Updates

Updates to both the software and operating system are released to the platform every two weeks during our Tuesday releases. Serious vulnerabilities, such as a WordPress core security update or the recent Heartbleed SSL vulnerabilities are released immediately as a hotfix.

Backups

Backups are taken nightly and are stored for one week. Weekly Sunday backups are stored for five weeks. All backups are copied offsite to secure servers at Amazon AWS.

In the event of a catastrophic failure in the Google Cloud Platform infrastructure, we will immediately restore your website in another datacenter. For more details, see our SLA.

Monitoring and response time

ProudCity uses a third-party monitoring system to monitor each site on the platform every five minutes.

ProudCity technical support is online daily from 9 a.m. to 6 p.m. U.S. Pacific Time. During office hours, we will respond to an outage within five minutes. During off-hours, weekends and holidays, we will respond within 15 minutes. Typically, we can recover from any outage within minutes, and we guarantee to have the problem fixed within two hours, or we will credit 10% of your monthly fee. For more details, see our SLA.

Access to site administration

All user authentication and user detail storage is handled by Auth0. Auth0 has a dedicated team of engineers whose job it is to keep application credentials safe by proactively combating brute force attacks and providing a detailed login history. Auth0 offers two levels of brute force detection and mitigation, as well as breached password detection and notification. They also provide extra security (2-factor authentication), and integration with existing authenticators including LDAP and Google Apps for an additional cost. Learn more about account security with Auth0.

Security compliance certifications

PCI compliance: All websites are PCI compliant. All pages are served over https with Let’s Encrypt SSL certificates. No sensitive information (credit card details) is stored in the database. Personally Identifiable Information that may be stored in the database include administrator name and emails, as well as address and contact information collected in forms.

HIPPA compliance: The standard ProudCity is not HIPPA compliant, however special measures can be taken to achieve HIPPA compliance if necessary (additional cost).

FISMA compliance: The standard ProudCity is not FISMA compliant, however special measures can be taken to achieve FISMA compliance if necessary (additional cost).

GovReady partnership

ProudCity is partnering with GovReady, a startup funded by a grant from the U.S. Department of Homeland Security, to continually monitor every site for security vulnerabilities, including code, administrator access and backup verification. In addition, the GovReady Dashboard, included in every ProudCity website, includes domain renewal information, an IT contact matrix and manual measures that should be verified frequently to ensure a safe website.

For additional details, see our service level agreement and privacy policy.