Cloud-based software is all about providing uninterrupted, reliable service, making information security a major focus for first-rate cloud vendors. Skilled resources, network redundancies, religious data back-ups, stand-by power, up-to-date security, and intrusion detection are mandatory components for an enterprise-class service.
We provide our service through a secure connection using HTTPS; which is a combination of the Hypertext Transfer Protocol with the SSL/TLS protocol to provide high encryption and secure identification of the server. WhosOnLocation.com is EV SSL Certified, independently by COMODO in the UK.
Our high levels of performance, availability, and security are achieved through:
- Systems security monitoring 24x7x365
- Active performance and availability monitoring of all data centers 24x7x365
- Restricted role-based application security with flexible single sign-on, data encryption, on-going vulnerability scanning, and encrypted offsite backups
- Security features: password complexity / administrator-based single sign-out / roles and permissions / access restrictions
- User authentication and access control
- A secure, multi-tenant network architecture
- Frequent, human-driven security auditing via network and application penetration testing
- Automated vulnerability analysis via external platform and application vulnerability scans
- Static analysis
- Regular updates rolled out to all customers, ensuring everyone has the latest application and security innovations
- Employee programs to increase awareness, communication, collaboration, and education on security
WhosOnLocation continually performs risk analysis to achieve the highest level of security. Security concepts and techniques have been integral to our solution’s design right from the beginning and we continue to invest heavily in security improvements for our product, our process, our people, and our technology.
WhosOnLocation performs full security audits of our product and infrastructure regularly, including quarterly third-party audits. Our risk assessment process aligns with the OWASP standard.
Our servers are located in dedicated spaces at top-tier data centres and are protected behind a dedicated firewall. WhosOnLocation servers are hosted at Tier 3, SSAE-16, or ISO 27001 compliant facilities.
Facilities features 24-hour manned security, biometric access control, video surveillance, and physical locks. The co-location facilities are powered by redundant supplies, each with UPS and backup generators. All systems, networked devices, and circuits are constantly monitored by both WhosOnLocation and the co-location providers. Only a small group of our employees have physical access to the servers.
Our network is protected by firewalls, best-of-class router technology, EV SSL encryption, file integrity monitoring, and monitoring across a wide range of performance and systems availability. Network security scanning gives us deep insight for quick identification of out-of-compliance systems.
All communications with WhosOnLocation servers are encrypted by default using industry standard EV SSL. This ensures that all traffic between you and WhosOnLocation is secure during transit. Unlike email-based communication, most of which flows unprotected over the Internet, your communication with WhosOnLocation is completely protected.
All access to data within WhosOnLocation is governed by access rights. Every user who attempts to access your WhosOnLocation account is authenticated by username and password. The administrator of your WhosOnLocation instance may define granular access privileges to individual users, and email notifications alert administrators when someone is granted admin access.
Our security architecture ensures that each request to WhosOnLocation is accompanied by user identity credentials to ensure segregation of customer data.
WhosOnLocation maintains a robust application audit log, to include security events such as user logins or configuration changes. Additionally, WhosOnLocation follows secure credential storage best practices by storing passwords using the bcrypt (salted) hash function.
The file systems are snapshotted every five minutes and the snapshots are replicated to all primary DR sites, the snapshots provide a quick delta for changed files to be able to keep up with the live data stream. Databases are replicated from the master to a slave database at each primary and DR site.
Along with the regular file system snapshots, a full daily backup is taken of all systems and stored as a full point-in-time record. The daily backups are aged out over 60 days.
The weekly backups are taken on a Sunday and are stored in perpetuity. At the point when the daily backups are aged out we have stored eight weekly backups over the period, this provides a large overlapping window between short and medium interval views of the system data.
WhosOnLocation and its supporting data security infrastructure are frequently reviewed for potentially harmful vulnerabilities.
WhosOnLocation.com tests all code for security vulnerabilities before release, and regularly scans our network and systems for vulnerabilities. Third-party assessments are also conducted regularly:
- Application vulnerability threat assessments
- Network vulnerability threat assessments
- Selected penetration testing and code review
- Security control framework review and testing
3rd Party Penetration tests and vulnerability scans are routinely run by both our customers and ourselves. We utilize the expert services of Security Assessments.com.
We do not share or disclose the results of vulnerability and penetration tests, whether they are run by customers or ourselves however; we do ask that the resulting report from any customer-driven vulnerability and penetration test is shared with WhosOnLocation so that we can review and address any identified vulnerabilities.
We are more than happy to share, in confidence, a copy of the scope of the 3rd-party audits we run via Security Assessments.com.
How do I request permission to run my own Vulnerability Test?
If you would like to run your own 3rd-Party Vulnerability Test against WhosOnLocation please send an email to firstname.lastname@example.org (Please note customer-driven and requested vulnerability tests are at the customers cost.
WhosOnLocation Employees and Agents
Contact for Questions about our Security Statement:
If you have any questions about the Security Statement, the practices of this Web site Service, or your dealings with us, you may contact us by sending an email to:
Email at email@example.com or by writing to:
Attn: Security Statement
WhosOnLocation Customer Services
P.O. Box 27023
Marion Square, Wellington, New Zealand 6141