Skip to content

Security Framework

Protecting Sensitive Member and Organisational Data

Executive Summary

Agend Systems (Agend) is committed to maintaining the highest standards of security for our WordPress application serving the professional membership market. This framework outlines our comprehensive approach to protecting sensitive member and organisational data through a multi-layered security strategy that leverages our managed WordPress hosting environment (Kinsta), which maintains SOC 2 Type 2 compliance, alongside our own internal security practices and the security practices and recommendations of clients' independent security auditing and security posture.

Document History
People Author No type Updates Dates Date Version
Glen Rosie Initial Release 3 May 2024 1.0
Glen Rosie Updates to Application Security 15 Aug 2024 1.1
Garth Walker Reviewed 14 Feb 2025 1.2

1. Infrastructure Security

1.1 Hosting Environment Security (Kinsta)

  • SOC 2 Type 2 Compliance: Our hosting provider Kinsta maintains SOC 2 Type 2 certification, demonstrating their commitment to security, availability, processing integrity, confidentiality, and privacy.

  • Cloud Infrastructure: Leveraging Google Cloud Platform's secure infrastructure with built-in protection against DDoS attacks, intrusion detection, and hardware security.

  • Isolated Container Technology: Each WordPress site runs in its own isolated container with dedicated resources, limiting the impact of potential security breaches.

  • Automatic Scaling: Resources automatically adjust to handle traffic spikes, preventing downtime during high-traffic periods.

  • Data Sovereignty: Data sovereignty and storage within a location corresponding to the client's preferred country group (typically Australia).

1.2 Network Security

  • Enterprise-Grade Firewall: Implementation of advanced firewall protection to filter malicious traffic.

  • DDoS Protection: Automatic mitigation of distributed denial-of-service attacks.

  • TLS/SSL Encryption: Mandatory HTTPS implementation with free SSL certificates and automatic renewal.

  • IP Geolocation Restrictions: Capability to restrict access based on geographical location when required.

2. Application Security

2.1 WordPress Core Security

  • Monthly Updates: Monthly release schedule for updates to the code base. Critical security updates are applied intra-monthly where appropriate to minimise vulnerability windows.

  • Plugin and Theme Vetting: Strict policy for using only reputable, regularly updated, and security-audited plugins.

  • Plugin Minimisation: Using only essential plugins to reduce the potential attack surface.

  • Regular Security Scans: Automated and manual scans for malware, vulnerabilities, and suspicious activities.

2.2 Authentication and Access Control

  • Strong Password Policies: Enforcement of complex password requirements.

  • Multi-Factor Authentication (MFA): Required for all administrative access.

  • Role-Based Access Control: Granular permission settings to ensure users have only the access they need.

  • Session Management: Automatic timeout of inactive sessions and secure session handling.

  • Login Attempt Limitations: Automatic blocking after multiple failed login attempts.

3. Data Protection

3.1 Data Encryption

  • Data-in-Transit Encryption: All communication with our application is encrypted using TLS 1.3.

  • Database Encryption: Sensitive database fields are encrypted with additional layers of protection.

3.2 Data Handling Procedures

  • Data Minimisation: We collect and retain only necessary data, following the principle of data minimisation.

  • Data Classification: All data is classified according to sensitivity levels with appropriate handling procedures for each level.

  • Secure Data Disposal: When data is no longer needed, it is securely deleted according to industry best practices.

4. Backup and Recovery

  • Automated Backups: Daily automated backups with 30-day retention.

  • Off-site Backup Storage: Backups are stored in geographically separate locations.

  • Regular Backup Testing: Regular tests of backup restoration processes to ensure data recoverability.

  • Disaster Recovery Plan: Comprehensive plans for various disaster scenarios with defined recovery time objectives (RTOs) and recovery point objectives (RPOs).

5. Monitoring and Incident Response

5.1 Continuous Monitoring

  • 24/7 Security Monitoring: Real-time monitoring for security incidents and anomalies.

  • Performance Monitoring: Tracking of application performance to detect unusual patterns that might indicate security issues.

  • Automated Alerting: Immediate notifications of suspicious activities or potential security incidents.

5.2 Incident Response

  • Documented Incident Response Plan: Step-by-step procedures for addressing various security incidents.

  • Dedicated Security Team: Trained professionals available to respond to security incidents.

  • Regular Drills: Scheduled incident response simulations to ensure readiness.

  • Post-Incident Analysis: Thorough review after any security incident to improve processes.

6. Compliance and Assessment

6.1 Regulatory Compliance

  • Industry-Specific Regulations: Compliance with relevant industry-specific data protection regulations.

6.2 Security Assessment

  • Regular Penetration Testing: We encourage our clients to perform scheduled tests by external security professionals to identify vulnerabilities.

  • Vulnerability Scans: Frequent automated vulnerability scanning.

  • Code Reviews: Security-focused code reviews before deployment.

7. Vendor Management

  • Vendor Security Assessment: Thorough evaluation of all third-party vendors with access to our systems or data.

  • Vendor SOC 2 Compliance: Preference for vendors with SOC 2 compliance (like Kinsta).

  • Vendor Access Limitations: Strict controls over vendor access to our systems and data.

  • Vendor Contract Security Provisions: Clear security requirements in all vendor contracts.

8. Employee Security

  • Security Awareness Training: Regular training for all team members on security best practices.

  • Acceptable Use Policies: Clear guidelines for appropriate use of systems and data.

  • Principle of Least Privilege: Staff are granted only the minimum access required for their roles.

9. Physical Security

  • Data Centre Security: Our hosting provider maintains state-of-the-art physical security at their data centres.

  • Office Security: Physical security measures at our offices to protect equipment and information.

  • Device Security: Policies for secure use and storage of company devices.

10. Continuous Improvement

  • Security Roadmap: Planned security enhancements and timelines.

  • Regular Framework Review: Periodic assessment and updating of this security framework.

  • Industry Trend Monitoring: Staying current with evolving security threats and countermeasures.

  • Customer Feedback Integration: Incorporating security suggestions from clients into our framework.

Conclusion

Agend's security framework demonstrates our unwavering commitment to protecting your sensitive member and organisational data. By leveraging Kinsta's SOC 2 Type 2 compliant hosting environment and implementing our own robust security measures, we provide multiple layers of protection for your valuable information.

We view security as an ongoing process rather than a one-time achievement, and we continually evaluate and enhance our security posture to address emerging threats and incorporate new best practices.

We welcome any specific security requirements or questions you may have and are happy to provide additional details on any aspect of our security framework.