Security Overview

We are committed to your privacy

Data Center Security

All main WebsiteAlive services are hosted by and located within Amazon Web Services (AWS), a leading cloud computing provider.

AWS is certified by following standards:

SOC 1/SSAE 16/ISAE 3402 (formerly SAS 70 Type II), SOC 2, FISMA, DIACAP, and FedRAMP, PCI DSS Level 1, ISO 27001, ITAR, FIPS 140-2.

  • Only approved tech personnel have the clearance to connect to the network through a bastion host that restricts access to network devices and other cloud components, logging all activity for security review.
  • Both WebsiteAlive and AWS incident management teams follow industry standard diagnostic procedures and provides 24x7x365 coverage to detect incidents and to manage the impact and resolution.
  • All network devices, including firewalls, are under monitoring and control connections at the external boundary of the network and at key internal boundaries within the network.
  • Proprietary DDoS mitigation techniques are used. Additionally, AWS’s networks are multi-homed across a number of providers to achieve Internet access diversity.
  • Personal login information with restricted access is used to manage services by WebsiteAlive via the Amazon web console.
  • There is a strict process of decommissioning storage devices in place. This process is to prevent customer data from being exposed to unauthorized individuals. It is based on DoD 5220.22-M “National Industrial Security Program Operating Manual” and NIST 800-88 “Guidelines for Media Sanitization”.

Server and Network Security

  • All AWS services are deployed behind a network firewall that routes all deployment into isolated private networks.
  • Servers have access to the Internet only via Network Access Translation (NAT).
  • IDS/IPS handled by various vendors across network instances.
  • WAF is applied to log and filter malicious requests.
  • Remote access to the servers is granted only via Virtual Private Network (VPN) with personal (not shared) login information.
  • User’s authentication and authorization is handled by various identity management technologies.
  • Operating System software security updates are installed on a weekly basis. The most critical updates are installed within one business day.
  • All servers' resources are monitored by two separated monitoring systems.
  • Remote access to the servers is logged continually.
  • The WebsiteAlive IT team is in place 24/7 to handle issues and receives urgent requests via notifications to staff.
  • Data backups are performed daily with a minimum 2 week retention.

Software Security

  • All sensitive information in WebsiteAlive is accessible only via HTTPS protocol (Industry standard 128-bit encryption provided by DigiCert High Assurance CA-3).
  • All web services are located behind an application firewall.
  • Commercial external service runs both network and application-level scans of web services for security vulnerabilities on a daily basis.
  • Enterprise level antivirus with central management has been installed on all WebsiteAlive servers.
  • A Central logging system is used to store real-time software errors for review.
  • Sensitive web content is encrypted with industry standard algorithms across web, database, and cache instances. Passwords are encrypted and hashed.
  • Penetration tests are performed on an as-needed or annual basis.