In this, we are guided by a few overarching principles. We never rely on security through obscurity; we aren't hiding behind secrets. Instead we use industry-standard security best practices. We always employ multiple levels of security and redundancy.
We utilize the best agencies to handle different areas of service; we want experts doing what they are really good at, not some guy in his garage promising to back things up every now and then. Along those lines, Amazon provides all of our hosting and Stripe handles our credit card processing and the security side of all of our credit card storage.
Database & Configuration Back-ups
We don't ever want there to be a single point of failure in our system so for all of our infrastructures, we have at least two copies (two levels of redundancy). Every function in RW Elephant is redundantly deployed on at least two separate servers (in two different locations) and we have automatic systems in place to monitor that all the servers are working. The system is also set up to automatically fail over if any server ever stops functioning properly.
We keep automated database back-ups that can be restored to any point in time for at least the last eight days. In addition, we periodically manually back-up our database to store additional copes offsite (in three locations).
As far as configuration goes, the source code that runs RW Elephant is backed-up in five separate locations and those back-ups are periodically evaluated to make sure they are working properly. Is this overkill? Probably. But we know how important RW Elephant is to our users and their businesses so we think it makes sense to be exceedingly cautious.
Beyond all of the redundancy and backing up we do internally, we allow our users to keep back-ups of their own data as well. We also recommend that our users keep copies of their order PDFs on their own computers (we actually suggest using Dropbox). That way, even if they don't have access to the internet, they have a foolproof way of fulfilling their orders.
Redundancy and back-ups aren't our only lines of defense. We also focus on multiple layers of security.
We regularly install security updates on our servers. We store passwords using the bcrypt password standard.
Our servers are protected with firewalls that only allow necessary traffic. Access to our servers for configuration changes requires two-factor authentication. We use industry standard TLS/SSL to encrypt communication with our servers. In fact, our configuration gets us an “A” grade on SSLLabs.org.
All of our credit card processing is handled by Stripe, who also takes security very serious. Our users' credit card numbers and their customers' credit card details are securely encrypted and sent directly to Stripe. They are never even visible to our server. Our server never has access to them.
In addition to direct access to our servers and data, we make sure our back-ups are also encrypted.
We are really passionate about this stuff so we keep up-to-date with the latest developments in the technology community. We voraciously read tech news, curiously explore sources of recent publicized security breaches, and stay up nights thinking about holes and future liabilities.
We hope you'll feel confident that we are taking every possible measure to protect you and your business. If you should have any further questions, please don't hesitate to get in touch with us at firstname.lastname@example.org.