Privacy and Security

Bee On A Flower

The organizations and businesses I work with are about people. Relationships with people (constituents, clients, members, etc.) make up the primary value of these organization or business. Safeguarding the electronic records of those relationships that are stored on the websites that I host is of primary importance in how I work.

There are no absolutes with computers and security, but I believe my hosting and development services to be appropriate to the organizations I serve, and considerably better than most comparable services. Here are a few ways that I work to maintain privacy and security for the sites I host.

1. I only use well-designed, well-maintained, secure software.

I use secure versions of Linux and any additional software installed on the servers, and follow security best practices around passwords, firewalls, root access, etc.

I keep up to date with all available security patches from Drupal and CiviCRM, as well as the software stack that these run on (i.e. Apache, Mysql, PHP and Linux).

2. I run my own servers.

I only provide hosting on dedicated servers that I set up and maintain. I don't use shared servers.

3. My servers are hosted in Canada.

They are physically located and cared for in Canada, so that they are only subject to Canadian law.

4. I don't provide shell access.

Only myself and my backup system administrators have access.

5. I don't store credit card numbers or other sensitive financial data, all financial transactions use SSL encrypted connections.

All financial transaction using my servers are done using an https connection, with reputable transaction processors, using tested server code that does not store credit card information on my servers.

6. PCI Compliance

The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards. Although this standard is not universally embraced, and the standard is beyond the sole scope of the services I provide to you, these services can be included in your self-assessment of PCI-C compliance. Please contact me if your require a formal statement to this effect.

7. I advise my clients about security and privacy practices.

Many security problems arise due to poor implementation of security measures that are unuseable or inappropriate for particular situations and result in users bypassing them to create worse problems.

If you require a more specific statement around privacy or security, or have any questions, please contact me.