Last updated: January 05, 2023 - Security

We are committed to providing a highly available, secure, and reliable environment for you to publish your content. Please read this page to understand how we ensure security by design.

Wordpond's security program focuses on preventing unauthorized access to our systems and data. We have implemented several security controls, evolving with industry best practices and aligned with AICPA Trust Service Principles.

Wordpond is continuously working to improve our security posture. We partner with reliable third-party security vendors to ensure we are current with the latest security standards and best practices. All internal and external security audit findings are shared with executive management and addressed promptly.

Wordpond engages an independent third party to perform an annual network and application penetration test. The test results are shared with executive management and addressed promptly. Identified vulnerabilities are tracked to closure, and remediation is verified.

1. Access Control

When provisioning access to our systems, we follow the least privilege and role-based access control principles. These principles mean employees are granted access to only the systems and data needed to perform their duties. User access, including access to our production systems, is reviewed semi-annually to ensure that access is still required and that access is still appropriate.

Employee access is reviewed and revoked when an employee leaves the company. In the event of involuntary termination, access is revoked immediately.

2. Cloud Hosting

Wordpond uses Amazon Web Services (AWS) and Google Cloud (GC) primarily to host our production and deployment platform. In the case of an AWS or GC outage, our network is resilient to regional downtime. Our platform will automatically route traffic to the nearest available edge. Our platform uses Azure CosmosDB to store and globally replicate data, which differs from our Edge Network. This extra data platform is an additional step to ensure uptime for applications on our platform.

Backups occur every hour and persist for one month.

3. Data Retention

We retain your data for as long as you have an active account with us and for a reasonable time afterward. We may retain specific data necessary to comply with our legal obligations, resolve disputes, and enforce our agreements. Customer data is removed from our systems within 30 days of account closure. Our hosting provider, Amazon Web Services, ensures proper data sanitization on their servers.

4. Encryption

We encrypt all data at rest and in transit. We use industry-standard encryption algorithms to protect your data. We use HTTPS to encrypt all traffic to and from our platform. We use AES-256 encryption to encrypt all data at rest. We use TLS 1.2 to encrypt all data in transit. Data at rest is encrypted using AES-256 encryption. Database connections are encrypted in transit using TLS 1.2. Encryption keys are stored in a secure location and are not accessible to anyone outside of the security team. All key usage is logged and monitored to ensure that keys are not compromised.

5. Endpoints

Employees are provided with company-issued workstations. These workstations are configured to meet our security standards. These standards include disk encryption, antivirus, and idle session lock. All workstations are monitored for security vulnerabilities and are patched regularly.

6. Incident Response

Incidents are reported to the security team. The security team triages the incident and determines the appropriate response. The security team notifies and works with the proper stakeholders of the incident to determine the root cause of the incident and implement a plan to prevent future incidents.

7. Logging

Centralized logging monitors and analyzes system activity on all production systems. Logs are retained for 90 days and are reviewed regularly to ensure that there are no anomalous activities. Logs are reviewed in the event of an incident to determine the root cause of the incident.

8. Network and DDoS

We use a WAF and CDN to protect against common web vulnerabilities, like DDoS attacks, and improve performance. Our CDN is configured to block malicious traffic, and our WAF is configured to block common web vulnerabilities. Two forms of DDoS protection cover enterprise customers. Our systems can automatically detect and block malicious attacks on customer sites. For significantly larger, distributed attacks, we work closely with the customer to ensure your site(s) stay online. The combination of automated prevention and direct communication from our Customer Success Managers helps ensure your site is resilient to attacks.

9. Personnel

Security is the responsibility of all employees, contractors, and temporary workers. All employees must have completed background checks before being granted access to our systems. All employees are required to sign confidentiality agreements.

All employees are required to complete security training. All employees are required to follow our security policies and procedures. All employees are required to report any security incidents to the security team. In addition to completing security training, all employees are required to review and sign our employee handbook and code of conduct. Violations of our security policies and procedures are subject to disciplinary action, up to and including termination.

10. Secure development

We follow an Agile methodology to develop our platform. On top of this methodology, security requirements must be met before a feature can be released to production. These requirements include:

• A peer must review all code before it is merged into the main branch.
• All code is managed in a version control system. Branch protection is enabled. Access to source code is restricted to only those who need it and is protected by two-factor authentication.

Non-standard code changes go through a formal change management process. The agile nature of our development process allows us to respond quickly to security vulnerabilities and deploy fixes to production within hours.

11. Third Parties

We partner with third parties to provide certain services, including but not limited to payment processing, customer support, and marketing and analytics. We reassess our relationships with third parties regularly to ensure their security practices align with ours.

12. Vulnerability management

Vulnerability scans are performed regularly. Identified vulnerabilities are prioritized and addressed promptly. We use a combination of automated and manual testing to ensure that our platform is secure.

Contact Us

If you have any questions about this Security Policy, You can contact us:

By visiting this page on our website: https://www.wordpond.com/contact

By writing to our offices: SECURITY OFFICE, Code Atelier, 275 E. Hillcrest Drive, Thousand Oaks, CA 91360, USA