2. Privacy & Security
2.1 General Security InformationLink to chapter 1
The security and reliability of our service is our number one priority.
In addition to the general WordPress security features, we have staff who perform daily checks of industry security blogs, websites and newsletters to keep on top of any potential vulnerabilities that pertain to the systems we use or employ.
We use ClamAV for all servers and TrendMicro and Norton for our desktops with regular updates as needed. We use WPScan for WordPress code and database monitoring.
Any WordPress core, plugin, or theme security patches will be applied within 24 hours of release.
See wordpress.org/about/security for details on the security of the WordPress core.
2.2 Employee PoliciesLink to chapter 2
Every WPMU DEV employee goes through background checks and an onboarding process that includes a trial period where access to customer servers and data is provided only when working directly under the supervision of another staff member.
WPMU DEV staff only have access to systems that are directly required to complete the functions of their job. We use dual factor authentication for all critical systems and communications services, and automatically log all staff activity using an internal logging tool and Amazon Cloud Trail.
All WPMU DEV staff (including contractors) undergo initial training to ensure proper understanding of all security related processes. Staff regularly attend industry conferences and otherwise stay informed of best practices and relevant trends. Staff agree, in writing, to all policies and procedures annually.
2.3 Security Breaches NotificationsLink to chapter 3
Should any security related event occur, our policy is to alert our customers via email no later than 24 hours of our team becoming aware of the event. We will work closely with any customers affected to determine next steps such as end-user notifications, needed patches, and how to avoid any similar event in the future.
2.4 Personally Identifiable Information (PII)Link to chapter 4
We only require a username and email address to log in and use WordPress. Customers may choose to use Single Sign On services, further limiting WPMU DEV’s access to information.
We do not collect, store, require, or transmit PII data related to health or financial institutions.
Only WPMU DEV staff have access to customer data. Our hosting partners do not have logical access to WordPress networks, the database, or user data that we host.
Should a customer request, we will completely destroy and delete all data and content from a given user.
The full end-user privacy agreement is found at incsub.com/privacy-policy.
In general, we don’t sell, share, or publish any user data. We only collect and store data for the purposes of providing the WordPress hosting service.
2.6 Exports & Database DumpsLink to chapter 6
Should a customer leave us, or should a local archive of user data be required, we can provide a complete export and database dump of a network. We will completely purge all customer data within three months of canceling service.