Security Policy

1. Backups / Disaster Recovery2. Database Security3. Password Security4. Staff Access5. System Security6. Physical Security7. Credit Card Safety8. Data Encryption9. Network Defense10. Miscellaneous


1. Backups / Disaster Recovery

We prioritize the safety and continuity of your data through comprehensive backup and disaster recovery measures.

Backup Frequency: We keep 14 full backups of each WebSCM database for at least 3 months: daily backups for 7 days, weekly backups for 4 weeks, and monthly backups for 3 months.

Backup Locations: Backups are replicated in at least 3 different data centers across 2 different continents. The locations of our data centers are specified in our Privacy Policy.

Manual Backups: You can download manual backups of your live data at any time using the control panel.

Restoration: You can contact our Helpdesk to restore any of those backups on your live database or on the side.

1.1 Hardware Failover

For services hosted on bare metal, where hardware failure is possible, we implement local hot standby replication with monitoring and a manual failover procedure that takes less than 5 minutes.

1.2 Disaster Recovery

In case of complete disaster, with a data center entirely down for an extended period, we have the following objectives:

RPO (Recovery Point Objective): 24 hours. This means you can lose a maximum of 24 hours of work if the data cannot be recovered and we need to restore your latest daily backup.

RTO (Recovery Time Objective): 24 hours for paid subscriptions, 48 hours for free trials, education offers, freemium users, etc. This is the time to restore the service in a different data center if a disaster occurs and a data center is completely down.

1.3 Disaster Recovery Execution

We actively monitor our daily backups, which are replicated in multiple locations on different continents. We have automated provisioning to deploy our services in a new hosting location. Restoring the data based on our backups of the previous day can then be done in a few hours, with priority on paid subscriptions. Both the daily backups and provisioning scripts are routinely used for daily operations, ensuring that our disaster recovery procedure is always tested.

2. Database Security

Customer Data Isolation: Customer data is stored in a dedicated database on dedicated virtual machine with no sharing of data between clients.

Access Control: No access is possible from one database to another.

3. Password Security

Encryption: Customer passwords are protected with industry-standard PBKDF2+SHA512 encryption (salted and stretched for thousands of rounds).

No Access: WebSCM staff does not have access to your password and cannot retrieve it. The only option if you lose it is to reset it.

Secure Transmission: Login credentials are always transmitted securely over HTTPS.

Rate Limiting: Customer database administrators have the option to configure rate limiting and cooldown duration for repeated login attempts.

Password Policies: Database administrators can enforce a minimum user password length. Other password policies like required character classes are not supported by default as they have been proven counter-productive.

4. Staff Access

WebSCM helpdesk staff may sign into your account to access settings related to your support issue using their own special staff credentials. This special staff access improves efficiency and security: they can immediately reproduce the problem you are seeing, you never need to share your password, and we can audit and control staff actions separately. Our Helpdesk staff strives to respect your privacy and only access files and settings needed to diagnose and resolve your issue.

5. System Security

Operating System Security: All WebSCM servers run hardened Linux distributions with up-to-date security patches.

Minimal Installations: Installations are ad-hoc and minimal to limit the number of services that could contain vulnerabilities.

Remote Management: Only a few trusted engineers have clearance to remotely manage the servers, and access is only possible using an encrypted personal SSH keypair from a computer with full-disk encryption.

6. Physical Security

WebSCM servers are hosted in trusted data centers in various regions, including Hetzner and Google Cloud. These data centers meet our stringent physical security criteria:

Restricted Access: Physical access is restricted to authorized data center employees only.

Physical Access Control: Security badges or biometrical security controls access.

24/7 Monitoring: Security cameras monitor data center locations 24/7.

On-site Security: Security personnel are on-site 24/7.

7. Credit Card Safety

We never store credit card information on our own systems. Your credit card information is always transmitted securely directly between you and our PCI-compliant payment acquirers.

8. Data Encryption

In Transit and At Rest: Customer data is always transferred and stored in encrypted form (encryption in transit and at rest).

SSL Encryption: All data communications to client instances are protected with state-of-the-art 256-bit SSL encryption (HTTPS).

Internal Communications: All internal data communications between our servers are protected with state-of-the-art encryption (SSH).

SSL Certificates: All our SSL certificates use robust 2048-bit modulus with full SHA-2 certificates chains.

Data Encryption at Rest: All customer data (database content and stored files) is encrypted at rest, both in production and in backups (AES-128 or AES-256).

9. Network Defense

DDoS Protection: All data center providers used by WebSCM have very large network capacities designed to withstand the largest Distributed Denial of Service (DDoS) attacks. Their automatic and manual mitigation systems detect and divert attack traffic at the edge of their multi-continental networks.

Firewalls and Intrusion Prevention: Firewalls and intrusion prevention systems on WebSCM servers detect and block threats such as brute-force password attacks.

Rate Limiting: Customer database administrators can configure rate limiting and cooldown duration for repeated login attempts.

10. Miscellaneous

WebSCM is regularly audited by internal Security Team to perform audits and penetration tests. The WebSCM Security Team receives the results and takes appropriate corrective measures whenever necessary. 

This security policy outlines the comprehensive measures taken by Unitsoft Inc. to ensure the security and integrity of customer data on the WebSCM platform. For full compliance and to ensure all specific legal and operational needs are met, consulting with a legal professional is recommended.