10Web Security Statement

Maintaining a high level of security and continuous improvement of security aspects of all processes and products is a top priority at 10Web. This document describes the measures taken by 10Web to offer our customers the industry-standard level of security.

Policies and procedures

Information security program

10Web employs information security policies with an executive-level commitment to implement and follow the policies throughout the entire organization. The Information Security program is  led by the Head of Security and the Security Team at 10Web consisting  of: executive-level officers, security experts, engineering managers, legal experts, and principal engineers from all engineering teams with a broad range of relevant expertise.

Organizational security

Information security roles and responsibilities are defined within the organization. The security team focuses on information security, global security auditing and compliance, as well as defining the security controls for protection of 10Web infrastructure. The Security team is responsible for developing and implementing new security policies and continuous improvement of security at 10Web using roadmaps and action plans.

The 10Web tech architects team regularly ensures the most up-to-date choice of technologies and architectural decisions that, among other things, may affect the security of 10Web infrastructure and applications in the long run. Thus we mitigate the technology-related risks and make best use of the technology stack.

Policies

10Web maintains a set of information security and cybersecurity policies and standards that ensure compliance with data privacy laws and regulations of the jurisdictions in which the firm operates in.
Information security policies and standards are being continuously developed, reviewed, and updated by the Security Team.
Firm policies and standards are available to all personnel. The policies and standards govern the following areas: Identity and access management, password policy, application and software security, infrastructure security, incident management, disaster recovery plan etc.

Information and communication

10Web utilizes various methods of communication, including corporate email and other corporate secure communication channels to update employees on current events and policies, and share information relevant to employees, such as corporate data, industry news, training and development materials, employee resources, and other corporate policies.
Update of key documents such as policies requires notifications to the affected staff.
Access to all sensitive documents are password-protected, have managed accesses, and separate security policies are applied to them.

Access management

10Web has well-developed access controls that are based on the general principles of no privilege without identity, no privilege without approval, need-to-know, least privilege access and entitlements commensurate with role or job duties.
All accounts have centralized access controls and can be revoked by administrators using an accounts management system.

Human resources security

Employee screening

When being hired as an employee, candidates are checked for high security awareness and experience in dealing with the security aspects of their job. Relevant security training is provided to them.
Background check is performed before a candidate’s hiring.

Terms of employment

Upon joining, employees and contractors sign a Confidentiality and  nondisclosure agreement. Only employees/contractors in a role for which it is necessary to access Client Data, are authorized to have access to Client Data, and are subject to our Access Control Policy. Only employees/contractors having appropriate roles have administrative access to 10Web infrastructure, and are subject to the Access Control Policy.

Training

All members of the 10Web team go through Security 101 (about 20 hours) training for increased security awareness and best practices. Besides the onboarding training, regular trainings are conducted at least once a year and whenever any material changes are made to relevant policies. Topics of the training include: Information and cybersecurity essentials, social engineering and phishing, data risk management, password policy, bring your own device, application information security, electronic communication security, managing application privileges, and network security basics. Besides the above mentioned, engineers go through special training covering the following topics: penetration testing and website hacking, vulnerabilities and attacks, and Linux essentials, providing the theoretical and practical skills necessary to discern security threats.
Security team members go through the advanced security fundamentals course (80 hours) which covers broad aspects of security, including software security, infrastructure security, cyber attacks, incidence management, network security, cryptography, law, privacy and industry standards, penetration testing, etc.

Termination of employment/service

10Web has a formal termination or change of employment process that, promptly upon termination or change of employment, requires return of any and all 10Web assets, revokes or adjusts access rights, and reminds ex-employees of their remaining employment restrictions and contractual obligations. All access (logical and physical) are terminated on or before the termination date. 10Web uses predefined checklists to help ensure the consistency and completeness of the termination process. 10Web applies the same policies when dealing with contractors as well..

Application and software security

Centralized inventory

The company tracks its applications in a centralized inventory tool. The tool is used to record information describing the application as well as the associated hardware and technical ownership. In addition, applications are classified and ranked according to application criticality, the type of data they process, and resiliency requirements.

Change management

Engineering teams use self-hosted version control systems for developing, storing as well as testing company applications. All the changes on the application code are tracked, reviewed, and approved according to the predefined branching model workflows. All applications are developed and released using standardized software development lifecycles with clearly defined development, review, testing, continuous integration (CI), continuous deployment (CD), and release management processes.

For each application individually, an access list with corresponding permissions of engineers is configured.

Secure code practices

All engineers are trained for secure code practices. Our engineers have regular meetings where they share their experience and discuss the best engineering practices including topics on secure software development. Junior engineers and new employees work under senior mentorship and are introduced to and trained for secure code practices.

10Web development teams use static and dynamic code analysis tools to scan code for vulnerabilities and bugs. When merging changes on development branches to the stable branch, engineers perform code peer review, which includes code review against a predefined security checklist.

Vendor security and patch management

Third-party components (dependencies) used in 10Web applications and installed on 10Web servers are regularly and automatically scanned for vulnerabilities using databases of vulnerabilities. This ensures the 10Web services and applications always use an up-to-date and secure software stack. 10Web uses only official and trusted source repositories to update third party components. Where possible, dependencies are managed through package managers.

Security testing

Manual and automated vulnerability testing are performed during the development process.

These solutions are integrated into CI/CD pipelines of 10Web applications. Regular testing of security and search of vulnerabilities is performed. Parts of the codebase and applications with a high-risks potential are tested and checked for vulnerabilities both manually and using automated tools such as OWASP ZAP.

Data backup and recovery

10Web automatically maintains backups of different types of data.

Customer sites and containers:

  1. Backup service with backup plugin. It backs up customers’ sites (both hosted and connected) by schedule or manually by client. Backup is stored in the Amazon S3 cloud storage, logically separated from other client’s sites.
  2. Restore points for hosted websites. Enabled by default, backs up daily, and cannot be turned off. Backups are kept for up to 10 days depending on site and available storage sizes. Backups are stored on a separate disk for storage.
  3. Instance snapshots․ Instances are snapshotted daily and kept for 3 days on a different server.

10Web services:

All servers of 10Web infrastructure are backed  up regularly on automatic mode in different physical locations.

Customer account information is backed up in several different locations.

Customer interaction history is backed up on different physical servers as well as encrypted and archived to protect our legitimate interests and to comply with laws.

Logging

10Web stores access/error logs of client sites in each container. This enables monitoring and alerts when suspicious traffic is detected as well as enables tracking and investigating of incidents.

Dashboard access logs of client accounts are stored for one month. Client actions logs, including 10Web account-related logs are stored permanently.

10Web servers log system- and application-level errors, warnings and debugging information which are kept on separate logging servers. PHP error logs for client websites are stored for 24 hours and web server access logs are stored for 52 days.

Access/action logs of administrative/development/service accounts, version control, CI/CD infrastructure and third party essential service accounts used by 10Web staff are enabled and can be investigated by super admins and the security team in case of account data leakage on unauthorized access.

Infrastructure security

Hardware inventory

10Web services are cloud-based and run on Google, Amazon, Azure and OVH cloud infrastructure which are hardware vendors providing the best industry-level standards of hardware security.

The security aspects of devices used by 10Web employees and software installed on them are governed by 10Web inner policies and BYOD (bring your own device) policies, which specify hardware and installed software constraints, use of antiviruses, password protection, device encryption, network and endpoint protection etc. The use of devices is under the oversight of the security team.

Enhanced system configuration

All systems, platforms, and applications are configured (hardened) to minimize security risks. These configurations include following manufacturers’ hardening recommendations and documented standard operating procedures, disabling unnecessary components and features, keeping all systems up-to-date with the most recent patches, proper configuration/storing of passwords parameters, disk write permissions, login attempts and rate limits, enforcing Content Security Policies for web applications, APIs and sites etc.

Malware protection

10Web conducts regular weekly security scans of hosted websites, containers and instances, checking for unauthorized changes in files, and code checks against lists of known malicious scripts. 10Web ensures that our infrastructure servers are free from malicious scripts by regularly scanning them.

To forbid usage of trial sites for phishing purposes and other abuses, they are password protected. According to the ToS, 10Web retains the right to reject registration of client accounts, suspend or terminate client accounts at any time without prior notice.

10Web hosted and connected sites make use of the malware and malicious sites removal program, which ensures that we keep our clients’ sites secure.

Perimeter network security

Access to all servers of all crucial internal services is restricted by IPs. These include version control repositories and CI/CD services. Assets used in different servers are isolated as much as possible in the network.

Firewalls for monitoring and filtering traffic of containers with client sites and 10Web infrastructure servers are enabled. Servers are regularly scanned for open ports.

System monitoring and threat prevention

An extensive monitoring system is enabled on 10Web infrastructure servers and client site containers with automatic condition-based alerts for incoming and outgoing network traffic rates (if too high) and request data (XSS and other threats), resource usage and other types of anomalies. 10Web system administrators and engineers use advanced dashboards with reporting to manually inspect systems for other types of peculiarities and potential threats. Container- and instance-level alerts are thrown when the servers are down.  Third party services accounts and administrative accounts used by 10Web employees have enabled alerts for login attempts and other suspicious activities.

10Web implements, maintains, and develops an extensive list of security controls for threat prevention and mitigation, such as DDoS prevention. CSP violation reports are regularly inspected to ensure that implemented security controls are effective.

  • 10Web consistently maintains an up-to-date list of disallowed/not recommended plugins for hosted/connected sites.
  • 10Web consistently maintains an up-to-date list of known vulnerable plugins/themes for its security service.

Cloud infrastructure

10Web infrastructure is cloud-based and is powered by Amazon AWS, Google Cloud and Microsoft Azure and OVH cloud services. All servers except the hosting infrastructure are located at US data centers. Hosted websites are located at data centers with a wide range of geographical distribution including North America, Europe, Asia, as chosen by customers. See the full list of data centers here.

10Web platform is built using an architecture which allows the platform to be resilient in case of failures of single or multiple components. All critical services are duplicated at different data centers. Load balancing is used to direct traffic to least loaded servers or to switch traffic to healthy servers in case of failures.

Secure network connections and remote access

All connections with 10Web infrastructure services as well as access to 10web services and accounts by the team and client sites are protected by encryption.

Authentication and Authorization

All the accounts utilized by 10Web employees for infrastructure access and administration are protected by 2FA. Where possible, accounts are manageable through the centralized account management system.

Authentication system through the 10Web dashboard for client sites is implemented to increase security of WP admin accounts. 10Web enforces 2FA and strong passwords for client accounts. User interface elements such as tips, reminders, warnings, etc. in the 10Web dashboard and manager plugin aim to increase awareness of secure authentication and authorization practices for client sites and accounts.

Only strong random passwords are allowed (if possible – enforced) for accounts of 10Web employees. 10Web employees must use a password management system for all their accounts. Strong passwords are enforced in 10Web dashboard client accounts.

All the sensitive actions in the 10Web dashboard require re-authentication.

Business Continuity and Disaster Recovery

To minimize service interruption due to hardware and software failure, natural disaster, or other catastrophes, we use reliable cloud service providers, such as Google Cloud, Amazon AWS, Microsoft Azure, and OVH cloud. Hosting services are powered by Google Cloud.

10Web services have multiple components to minimize the risk of any single point of failure. For business critical services, application data is replicated to multiple systems within the data center and, in some cases, replicated to secondary or backup data centers that are geographically dispersed to provide adequate redundancy and high availability. All servers are monitored to detect any sort of downtime.

The security team supervises the development and implementation of contingency plans (plan B) for infrastructure and applications to ensure business continuity.

SaaS operations security

Documented procedures, risk assessment

For every project and infrastructure component or application feature,  corresponding engineering and  management teams, by consulting with the security team, conduct a formal risk assessment on the planning stage, which is to be included in business decisions and further risk minimization operations.

Separation of development, testing and operational facilities

Development and test environments of 10Web applications and services are logically and physically separated from production environments. Supporting facilities and infrastructure (administrative, CI/CD, repositories) are logically and physically separated from production environments.  Different production servers are either physically or logically separated from each other. Password policy enforces different access credentials for development, test, and production facilities.

Production environment

Besides being completely separate from development and testing environments, the production environment is hardened in a specific way. Configuration and accesses are tuned according to the pre-defined standards for production environments, to mitigate the risks of accidental modifications by engineers. Debugging and test harnesses are disabled for the production environment.

Scalability & Stability

All infrastructure servers are scalable.

Uptime monitoring and control systems enable high uptime and stability of servers according to 10Web internal specifications based on industry best standards, by implementing usage of reserve servers, quick alerts, and incidence response automated playbooks.

Security incident management

10Web maintains a transparent internal incident process and promotes transparency as a part of its internal culture. All employees are required to report all attacks and possible threats to the security team. Incidents are categorized by severity. For all incidents, formal incident management procedures are to be taken. All relevant team members participate in a meeting, where under the supervision of the security team, they define further actions to mitigate the consequences of the incident, exclude further repeat of similar incidents, improve overall processes/technical systems with respect to security, and provide necessary transparent reports and help to the clients/third parties affected by the incident.

Per request,10Web may report audit logs, provide traffic analysis reports, and other necessary information to affected clients/third parties as well as governmental agencies.

Security metrics

A list of security metrics, measurable quantitative indicators is defined for internal operations. Security metrics are closely monitored for analysis, risk minimization and threat prevention. However, security team actions and overall improvements with regard to security are not limited to those areas with measured security metrics only.

Data security and data privacy

Customer data

10Web provides transparent information about all sorts of data it collects and processes.

Besides data of hosted websites inside hosting instances (files, database and logs), 10Web stores data of its clients and client sites. A detailed list of all data which is being processed by 10Web or third-parties , along with explanations on how it is collected, stored, and their retention periods are explained in the Privacy Policy.

Below are the procedures for protecting data.

Financial data

10Web does not process or store any credit card information. 10Web uses industry-standard payment processors such as Paypal and Stripe which are PCI DSS compliant.

Data Encryption

All the information sent and received by 10Web servers is in encrypted form. 10Web only stores encrypted hashes of client account credentials. Customer communications are encrypted. Clients’ website backups are encrypted.

Data privacy

A detailed list of all data which is being processed by 10Web or third-parties, along with explanations on how it is collected, stored, and their retention periods are explained in the Privacy Policy.

GDPR and data retention

A detailed GDPR compliance statement is coming soon.

Information disclosure by 10Web

10Web does not disclose any customer data to third parties, besides the cases explained in the privacy policy and cases when US and third-country public authorities who have legal right to obtain such data, send 10Web a legally obligating requests, such as court orders.

Responsible disclosure

Responsible disclosure

We consider the security of our systems a top priority. But no matter how much effort we put into system security, there can still be vulnerabilities present.

If you discover a vulnerability, we would like to know about it so we can take steps to address it as quickly as possible. We would like to ask you to help us better protect our clients and our systems.

Please do the following:

  • E-mail your findings to [email protected]
  • Do not take advantage of the vulnerability or problem you have discovered, for example by downloading more data than necessary to demonstrate the vulnerability
  • Do not reveal the problem to others until it has been resolved
  • Do not use attacks on physical security, social engineering, distributed denial of service, spam or applications of third parties
  • Do provide sufficient information to reproduce the problem, so we will be able to resolve it as quickly as possible. Usually, the URL of the affected system and a description of the vulnerability will be sufficient, but complex vulnerabilities may require further explanation.

What we promise:

  • We will respond to your report within 3 business days with our evaluation of the report and an expected resolution date
  • If you have followed the instructions above, we will not take any legal action against you in regard to the report
  • We will handle your report with strict confidentiality, and not pass on your personal details to third parties without your permission
  • We will keep you informed of the progress towards resolving the problem
  • As a token of our gratitude for your assistance, we may offer a reward for reports of vulnerabilities in our system that were not yet known to us

Our expectations of your information security practices

10Web aims to provide the best security for its clients. Many security controls and configurations are automatically enabled according to the best industry standards.

We expect our customers to have responsible security awareness. By:

  • Providing valid, accurate, complete, and up-to-date information so that 10Web can contact them promptly.
  • Keeping passwords of 10Web accounts and hosted websites in a safe place and not sharing them with others.

To get help with enabling the 10Web security service, check here.

Customers may temporarily provide access to their 10Web account dashboards and and sites for support purposes by enabling “allow access mode”, which will open access to customer care agents and engineers involved in fixing the issue.

If you suspect that your account is compromised, immediately inform us and reset passwords and 2FA access.

Disclaimer

This Security Public Statement is provided for informational purposes only and does not provide an exhaustive list of measures undertaken by 10Web.

Contact

If you have any questions about security and privacy at 10Web, please contact us at:

[email protected]