Security

Introduction

We believe that everyone has the right to the privacy and security of their data and we take these rights very seriously. We have invested a great deal of time, effort and resources into ensuring that only authorized users can use our platform, that your information is secure and that your data is used only in proper ways. We achieve our goal of providing outstanding security and privacy controls via the following methods:

 

  • Organizational security; 
  • Data center security; 
  • Network security; 
  • DDoS protection; and 
  • Site security.

 

While we have already implemented state-of-the-art measures to ensure privacy and security, we will continuously update and improve those measures to keep up to date with the constantly evolving threat and regulatory landscapes. 

We hope that you join us in our quest to be a security and privacy focused hosting solutions provider by familiarizing yourself with our policies and controls, by not sharing your account information with anyone and alerting us if you notice anything suspicious.

Organizational Security

study performed by the Ponemon Institute and IBM found that in 2018, roughly one quarter of all data breaches were caused by human error. We believe that it is up to companies to reduce this rate of human error by hiring smart, providing adequate training on privacy and security obligations, and by providing the right support whenever questions arise.

Prior to hiring, all employees are subject to a background screening to ensure the safety and privacy of your data.

Background checks can look at a potential employee’s:

  • Criminal history, including misdemeanors and felonies
  • Social security number—validating this number can reveal any aliases and identify previous addresses the applicant has lived at
  • Employment history, so you can be sure their resume is truthful. (Some states do limit the amount of information former employers can share.)
  • Sex offender status
  • Credit report—this can uncover any bankruptcies or severe debt that may impact accounting abilities 
  • Military service records
  • Licenses, which can be important if you’re hiring for a job that requires licensing

Data Center Security

A data center is a facility that houses our computer systems and equipment. Data centers are key to the security and privacy of data and thus we have chosen and proudly utilize some of the best infrastructure resources in the world.  We chose Amazon Web Services (AWS) as our data center because it features the following controls:

  • Prior to choosing a location, AWS performs environmental and geographical assessments to mitigate the risks of natural disasters; 
  • AWS data centers are designed to anticipate and tolerate failure while maintaining service levels; 
  • AWS backs up critical system components across multiple isolated locations. These locations are engineered to operate independently with high availability; 
  • AWS continuously monitors service usage and updates their systems to meet demand; 
  • AWS only allows access to data centers to staff and third parties who need such access and have a valid business justification for such access; 
  • AWS installs CCTV camera and electronic intrusion detection systems, which are monitored 24/7 to ensure that there is no unauthorized access; 
  • AWS data center electrical power systems are designed to be fully redundant and maintainable without impact to operations, 24 hours a day; 
  • AWS centers are equipped with state of the art fire and suppression mechanisms; 
  • AWS performs regular threat and vulnerability reviews of the data centers and mitigates any potential vulnerabilities found; and 
  • AWS data centers are tested by third-party experts to ensure an impartial confirmation that controls have been implemented.

You can find more details on the security measures implemented by AWS here: https://aws.amazon.com/compliance/data-center/controls/

We have also chosen Google Compute Cloud as our provider because it features the following controls:

  • Google develops and deploys infrastructure software using rigorous security practices. Their operations teams detect and respond to threats to the infrastructure 24/7; 
  • Communications over the Internet to Google’s public cloud services are encrypted in transit; and 
  • Identities, users, and services are strongly authenticated with multiple factors.

You can find more details on the security measures implemented by Google Compute Cloud here: https://cloud.google.com/security/infrastructure/.

Network Security

Network security consists of the policies and practices that are used to prevent and monitor unauthorized access, misuse, modification, or denial of a computer network and network-accessible resources.

In order to ensure security at the point of demarcation of our network inwards, we only expose the bare minimum of services to the outside world, including but not limited to: port 80 and 443 on the load balancers.To understand how we ensure network security from our network outwards, please reference the following information from our network providers:

https://aws.amazon.com/security/

https://cloud.google.com/security/infrastructure/design/

DDOS Protection

A Distributed Denial of Service (DDoS) is the intentional paralyzing of a computer network by flooding it with data sent simultaneously from many individual computers. We rely on our infrastructure providers’ network mitigation solutions as described here:

https://cloud.google.com/files/GCPDDoSprotection-04122016.pdf

https://aws.amazon.com/shield/

Site Security and Privacy

Advanced Site Security Settings

Each site on Convesio comes with many out of the box security settings preconfigured inside of the webserver and larger infrastructure to help thwart intrusions and alert us of any abnormalities.  In addition, each site has

  • X-Frame-Options
    • The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe>, <embed> or <object>. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.

 

  • X-XSS-Protection
    • The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. Although these protections are largely unnecessary in modern browsers when sites implement a strong Content-Security-Policy that disables the use of inline JavaScript (‘unsafe-inline’), they can still provide protection for users of older web browsers that don’t yet support CSP.

 

  • X-Content-Type-Options
    • The X-Content-Type-Options header is used to protect against MIME sniffing vulnerabilities. These vulnerabilities can occur when a website allows users to upload content to a website however the user disguises a particular file type as something else. This can give them the opportunity to perform cross-site scripting and compromise the website.

 

  • Referrer-Policy
    • The Referrer-Policy HTTP header governs which referrer information, sent in the Referer header, should be included with requests made.

 

  • Content-Security-Policy
    • Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement to distribution of malware.

 

  • Strict-Transport-Policy
    • The HTTP Strict-Transport-Security response header (often abbreviated as HSTS) lets a website tell browsers that it should only be accessed using HTTPS, instead of using HTTP. if, for example, the visitor types http://www.foo.com/ or even just foo.com. This creates an opportunity for a man-in-the-middle attack. The redirect could be exploited to direct visitors to a malicious site instead of the secure version of the original site. The HTTP Strict Transport Security header informs the browser that it should never load a site using HTTP and should automatically convert all attempts to access the site using HTTP to HTTPS requests instead.

 

  • Bot Detection Powered by Ellipsis Human Presence (Beta Feature)
    • Human Presence™ actively runs in the background of your website hidden from site visitors. This “ActiveForce” environment uses our proprietary behavior analysis to invisibly detect and record individual session behaviors. Our algorithm uses this information to construct smart profiles–a sort of digital fingerprint–to actively gauge future site interactions and protect against unwanted and/or harmful traffic.

Site Isolation and Container Security

Unlike traditional hosting, each site on Convesio is encapsulated in its own micro architecture.  The container only utilizes communication on a private subnet to access the filesystem, database, and any other services the container requires to operate – it is never exposed directly to the internet – it is exposed through the load balancer. This configuration ensures that your site and its data is secure and private.

Encrypted Connections

Site running on Convesio can easily add a SSL certificate free of charge, provided by Let’sEncrypt, a leading SSL provider. Furthermore, we utilize SFTP to access your site’s filesystem on our platform – never connecting directly to your Docker container.

Malware Scanning

We have developed and utilize a proprietary malware scanning stack based on open source Yara rules and other leading security technologies.

Backups

As part of our platform, we offer a backup system built directly into the control panel.  You have the option to set the specific parameters of how and when you’d like your site to be backed up.  As a best practice, you are also not denied the option of running a backup plugin in unison with our backup system – they will not interfere with each other.  However, it is recommended that you upload your backups to a third-party storage service (Amazon S3, Google Cloud, Dropbox) and not stored directly inside WordPress on our platform as it will use account disk space resources.

Account Security

We have  an optional 2FA (Two-Factor Authentication) setting which can be configured by request.  All account login requests are logged and any suspicious login activity will be sent to security staff for analysis.  If you believe your account has been compromised, please reach out to our support team via live chat or support ticket so we may take action on your behalf.

We strive to be as transparent as possible with our security procedures.  However, we do have some proprietary systems that we simply cannot expose to the general public.  If you have questions or concerns, please do not hesitate to reach out to our team at [email protected]

Privacy of Your Information

We comply with the E.U. – U.S. Privacy Shield Framework and the Swiss – U.S. Privacy Shield Framework, established by the U.S. Department of Commerce. These Frameworks govern the collection, use, and retention of personal information transferred from the E.U. and Switzerland to the United States. We take the privacy of your data seriously and thus follow and comply with these Frameworks.