Security, backups and redundancy
We're one of the few New Zealand service providers that are registered for data protection in multiple countries
including the UK's Information Commissioner's Office (registration number: ZA246885) so our customers are not only
protected by strict New Zealand data protection laws, but also far stronger European laws. Our infrastructure is completely PCI DSS and HIPAA
compliant which means customers can store payment and health information on our servers. Others
charge for this or claim to be compliant without any kind of certification or third party audits.
We have a full-time dedicated team of engineers whose sole task is to find vulnerabilities in
our infrastructure, in WordPress, popular plugins, our customers websites and applications. When
we find a vulnerability, we let the relevant entities know so they can release updates but since it
can often take months before a patch is released by them (often leaving millions of websites
vulnerable), we patch our servers and clients websites immediately to minimise risks. And since
WordPress updates often break websites, our patches only target what's necessary and
ensure websites remain operational after the patch so we can keep your website safe without the
anxiety or reluctance of updating WordPress.
We also have a proprietary security system which prevents most forms of brute force attempts.
For example, if a customer uploads a plugin that contains malware — we have mechanisms in
place that will make it very difficult for someone to use the malicious plugin to take control of
a website and/or perform malicious activity because of our authentication system. Every host claims
to be secure but none have the technical capability to do what we do, none go to the extremes that
we do to protect our clients and none have a proven track record like we do.
Common sense security
It's common now to hear companies experience breaches and data leaks and while
it's impossible to be 100% secure, many have occurred through plain old negligence such as not
encrypting data, allowing data access remotely for the sake of convenience and so on. They could
have been prevented and while nobody can be perfect, everyone can follow common sense and to make
matters worse, many of their breaches occurred in the exact same manner as other companies many
years earlier yet took no action until it was too late.
As well as constantly searching for vulnerabilities in our infrastructure, we also keep
abreast of the
news and if we find a company has experienced a breach, we immediately and thoroughly test our systems for the same
and similar types of vulnerabilities — and take action where necessary. We don't need to experience
a breach to learn their lessons. We would rather be safe than sorry.
Backups and redundancy
Most companies claim to make daily backups which in reality isn't the case or their backup strategy is
unreliable and customers aren't aware of this until they need it. When their customers ask to restore from
a backup, they often come across failed/unusable backups or backups that do not exist. To mitigate this, we perform full backups of files and databases every 3 hours and store copies of them
in so many different locations to ensure a recent copy is always available in the event of a catastrophe.
Backups are stored on the
physical server in RAID (multiple disks have the same copy), a copy is stored on our local storage
array network (SAN) which is a cluster of servers and disks (again, multiple drives will hold a
copy on the SAN) at the other side of the data centre and a final copy is sent to Amazon S3 with
geo-redundant replication. To date, we
have not lost a backup. No other host can do or offer this without charging
thousands of pounds per month for the backups alone.