Security at Ignition

Ignition Security

(Last modified 21 July 2022)


Encryption

All customer interaction with Ignition servers is encrypted through the use of SSL. Our SSL certificates use 256-bit encryption to protect your data. Data is encrypted at rest with AES-256, block-level storage encryption.

 

Disaster Recovery

Data is backed up offsite daily for recovery from disasters. Daily logical backups are retained for 7 days. Our provider offers a continuous protection mechanism of disaster recovery and our recovery point objective (RPO) in the event of disaster is within 24 hours. Due to our multi-tenanted environment we haven’t set an RTO.

 

Data Retention and Location

Ignition stores the minimum amount of data required in order to provide our services. Customer, proposal and pricing data must be stored by  Ignition, but credit cards details are stored by PCI compliant service partners.

Ignition securely and indefinitely retains data unless deletion is requested by the principal of the account. Servers housing data are located within the United States of America.

 

Financial Security

Credit card and direct debit details are never stored by Ignition. All sensitive payment details are transmitted directly to our payment providers over SSL connections and are not logged or stored in Ignition systems.

Malicious actors gaining unauthorized access to a customer’s account do not have access to a customer’s card or payment information and any attempts to redirect funds require new business verification checks from Ignition’s Fraud and Controls team.

Subscription payments are processed by Recurly, a Payment Card Industry Data Security Standard (PCI-DSS) Level 1 compliant service provider. Sensitive payment information is stored by Recurly using several layers of encryption in a segmented network with no public access.

Customer payments are processed by Stripe, a PCI-DSS Level 1 compliant provider. Ignition connects to Stripe using TLS and captures details via Stripe Elements/Stripe.js. PCI SAQ-A attestations are completed annually and can be made available on request.

 

Password Security

Password security is maintained through minimum passwords lengths and automatic lockout on repeated login failures.

To maximise your safety,  Ignition recommends your password be at least 10 characters with a mixture of letters, numbers and punctuation characters. We recommend that the password you use for  Ignition is unique and not used for any other websites. A password manager such as 1Password or LastPass is recommended to manage your passwords.

No plain text passwords are stored at any time.

 

Physical Security

Ignition's production systems run on Amazon Web Services (AWS), a popular cloud computing platform. AWS' security policy details the physical, network, system and data security they provide.

 

Network Security

Ignition undertakes annual penetration testing provided by Synopsys.

Ignition has implemented technologies to reduce the impact of DDoS attacks provided by AWS.

 

Vulnerability Management

Software libraries used by  Ignition are actively kept up to date. Any security fixes or patches are treated as top priority and are applied as quickly as possible - normally within 24 hours of public release.

We also have a formal bug bounty program to enure that vulnerabilities are discovered and patched as soon as possible.

 

Accreditation

Ignition is not ISO or SOC accredited. Please review our sub-processor list for details of sub-processor accreditations.

 

Support and Development

Application development activities are located within Australia and occur primarily within Australian business hours. Our current infrastructure does not require scheduled maintenance down-times, but we reserve the right after providing 24 hours notice.

Support activities occur globally and current hours of operation are 9 am Monday to 11 am Saturday AEST. No official SLAs are offered, but we endeavor to respond to all support queries within 24 hours.