Although security threats are a fact of life in today's digital world, since the release of WildApricot in 2006 we have been constantly reviewing and improving our security processes.
In order to provide information security, there is a dedicated group of specialists in WildApricot - the Security Team.
WildApricot's Security Team has extensive experience in finding vulnerabilities, allowing us to prevent threats before they occur. Applying both offensive and defensive security measures, we provide an integrated approach to WildApricot security on all levels.
Offensive security processes include:
Defensive security processes include:
Before we release new features and functions, the Security Team always reviews their safety using OWASP Top 10 and OWASP Testing v3 methodologies. In case of any security flaws, the Security Team can postpone the publication of the feature until it gets fixed by developers.
In addition, the Security Team conducts penetration tests. This is an evaluation method where real-world hacker attacks are simulated in order to improve understanding of the system, to discover vulnerabilities, and to enhance security. WildApricot follows the testing processes described in NIST Special Publications 800-115 Technical Guide to Information Security Testing and Assessment.
In addition, we have also been working to develop special software - Security Operation Center - to automatically detect attacks and correlate security events from various systems (Windows, Linux, Network, Social).
External and internal penetration tests are performed systematically. An external test should assess any unique access to the scope from the public networks, including services that have access restricted to individual external IP addresses. Both internal and external testing must include application-layer and network-layer assessments. External penetration tests must also include remote access vectors such as dialup and VPN connections. Upon completion of the analysis, the tester will generate a report that identifies system, network, and organizational vulnerabilities along with recommended mitigation actions.
The Security Team monitors all vulnerabilities that need to be fixed. When the vulnerability is fixed, the crew reviews it again. After a successful review, the Security Team approves the feature or function for release.
We comply with the requirements of the GDPR. The General Data Protection Regulation (GDPR) came into effect on May 25th, 2018. This law is designed not only to protect the personal data of EU citizens, but also to increase the organization's level of responsibility. Any organization or service that keeps, uses, and stores personal data of EU citizens is affected by the law. Many of the GDPR requirements do not relate directly to information security, but in order to comply with this law, companies should review their existing security processes.
For more information about GDPR compliance, visit https://www.wildapricot.com/dpa.
PCI DSS is the Payment Card Industry Data Security Standard (for more detailed information visit https://www.pcisecuritystandards.org/document_library). Complying with the requirements of this standard assures customers that their payment transactions will be secure. WildApricot complies with PCI DSS standard requirements. We do not store payment data of clients. We only transfer them to accredited payment gateways and monitor PCI Compliance of these gateways.
Servers conducting payment transactions (servers from which the payment data is sent) pass an annual certification for compliance with PCI DSS. WA successfully completed the evaluation for 2018, and at the moment we are preparing for a new certification in 2019. For more information, please visit https://www.wildapricot.com/security-policy-overview..
You decide who to grant administrative rights to, and what level of access to assign to each administrator. Do not provide administrator roles without a real need - try to limit access as much as possible to keep your account secure. For more information on access rights, and administrator roles, see https://gethelp.wildapricot.com/en/articles/50.
We care about the security of WildApricot's mobile applications - the app for admins and the app for members. The WildApricot mobile applications interact with the API only using the secure HTTPS protocol. In this case, all access checks occur on the server side and the user can not assign authority. For detailed information about API access parameters, see https://gethelp.wildapricot.com/en/articles/484-api-access-options.
By default, we treat all client information as confidential and use common rules and recommended security requirements for the entire company. Here are just a few of them:
The Security Team follows the standards of world class security practices and tries to apply them on all possible levels in WA security. We update, develop or completely re-create security processes whenever we find any shortcomings.