The information provided here is for general informational purposes, for example, when school's have questions about how their websites are hosted, and or when they have security scans performed by a vendor. Our platform is routinely updated, its dashboard and editor shell, templates, and widgets, as well as is the runtime environment in which hosted sites are rendered. From individual websites to the editor itself, are hosted on Amazon’s dependable AWS platform to provide reliability. Hosted sites have automated DDoS mitigation, SSL certificates, data encryption, and strict access controls.
Your website is a PUBLIC website, thus content like text, images, and files are publicly accessible. You should never be posting or uploading files that contain sensitive or personally identifiable information.
Never share your password with another user. Each person at your school should use their own login to access and edit the site. We recommend limiting your number of users. Rediker will never ask you for your password.
Our web-hosting platform uses the following security measures.
Network and Data Communication
Remote access requires VPN connection and two factor authentication.
HTTPS and SSL Certificates
All hosted sites are HTTPS compliant and are issued an SSL certificate via Let's Encrypt (an industry standard, trusted and reputable provider).
By default all site traffic is also set to Force visitors to use secure connection (HTTPS)
The platform uses HSTS Policy (HTTP Strict Transport Security). This feature helps protect against protocol downgrade attacks and cookie hi-jacking.
The site's secure connection uses the DV (Domain Validated) certificate.
Antivirus, Malware Protection and Path Management
Automated vulnerability scans are conducted regularly in order to detect web application vulnerabilities.
Backup and Restore
Static resources (images, files, scripts,) are automatically backed up on a daily basis via AWS AMI. In addition, data is replicated to another AWS data center.
Monitoring and Alerts
We use several automated monitoring tools meant to detect abnormalities and misuse.
Access Control
All data communication networks with external access are protected by a central firewall. Networks are separated for functionality and usage.
Networks, firewall, SSL Certificates and virtual private network (VPN) is used when accessing critical systems.
All TCP outbound communication is SSL encrypted
Web-hosting servers are equipped with malware protection and intrusion detection systems.
Central patch management is conducted on a regular basis by AWS for security related updates to ensure known security issues cannot be used to gain unauthorized access to systems and data.
Web-hosting services uses AWS automated backup features that allow us to restore the database state and data to any point in time in the past 14 days. In addition web-hosting services performs periodic database snapshots via RDS API.
We will not provide user account related information unless proper verification of the identity of the account owner is established.
Delete and Destroy
Customer Data will only be stored for as long as Rediker and the customer has an active agreement, and as long as it serves the purposes for which the data was collected. Upon expiration of an agreement with a customer, unless there is a legal or contractual obligation to maintain data for a long period of time, the customer's data will be deleted.
Physical Security
Access to web-hosting systems and application is granted based on the "need to know" principle. Admin access requires the use of multi-factor authentication and passwords.
Passwords policy is enforced for any user on the platform (account owners, team members, customers). The password is fully encrypted / hashed.
Our web-hosting activities are based on cloud computing services provided by AWS.
Data at rest and in transit is encrypted with industry grade encryption algorithms.
Payment Card Industry Data Security Standard (PCI DSS) compliance is required of all entities that store, process, or transmit. If you are using any 3rd party platform for donations, payments, etc. please note that their platform would need to pass security scans, as your website would not be responsible for nor does it actively store, process, or transmit payment or cardholder data. For example, if you have a "donate" button that takes visitors to another site to input payment information, the hosted website is not involved. Another example, if you have been given some "code" to embed a payment form on your website, the hosted website is not involved. In either case, your public website is not a vulnerability nor need to be top-level compliant, as it is not responsible for processing, storing, or transmitting the data. If using a feature like the website store or an application that is configured with a payment gateway, the payment processor and their gateway performs all the operations with such data and returns a callback confirming payment. Check with your payment processor or 3rd-party vendor for more information about their security measures.
If a security scan or other company is telling you that your website needs to be PCI compliant because you link to sites that accept credit cards for payment, that is inaccurate. Your RediSite does not have credit card information pass through our system, so it is outside of the scope of PCI. And as the technical notes supplied above layout, RediSites are following industry standards and are properly secure.