This policy outlines: 1) Member Hub's security practices and resources, and 2) your security obligations. This policy is incorporated by reference into the Member Hub Terms of Service.
Our documentation may specify restrictions on how Member Hub may be used or configured. You agree to comply with any such restrictions as specified.
You are responsible for properly configuring and using the Services and taking your own steps to maintain appropriate security. You are not permitted to circumnavigate any security measures in an attempt to access data that does not belong to you.
Your credentials used in the Service are confidential. You may not sell transfer, share or sublicense them to any other entity or person.
If you discover a potential security vulnerability, please see our policy on Responsible Disclosure.
We strongly prefer that you notify us in private. Publicly disclosing a security vulnerability without informing us first puts the community at risk. When you notify us of a potential problem, we will work with you to make sure we understand the scope and cause of the issue. Thank you!
Without limiting any provision of the Member Hub Terms of Service, we will implement reasonable and appropriate measures designed to help you secure Your Content against accidental or unlawful loss, access or disclosure.
Member Hub manages information security using a framework, which specifies the requirements for establishing, implementing, maintaining and continually improving a comprehensive information security management system and risk management capabilities.
Member Hub runs on the Amazon Web Services (AWS) global infrastructure platform. The Service is only hosted on Australian infrastructure at this point-in-time.
AWS publishes an "Overview of Security Processes" whitepaper that serves as the reference material for this section.
AWS computing environments are continuously audited, with certifications from accreditation bodies across geographies and verticals, including ISO 9001 / ISO 27001, IRAP, and PCI DSS. Additionally AWS also has assurance programs that provide templates and control mappings to help customers establish the compliance of their environments running on AWS against 20+ standards.
AWS data centers are housed in nondescript facilities. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication a minimum of two times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.
AWS data center environmental controls include:
Member Hub runs in an AWS Virtual Private Cloud. Most services run in a private subnet and are not publicly exposed.
Member Hub utilises an inbound firewall configured in deny-all mode. HTTP, HTTPS and SSH ports are opened as necessary.
Member Hub workforce members are only granted administrative privileges on an as-needed, least-privilege basis. Access reviews are performed on a regular basis.
Member Hub logs AWS and Member Hub API activity. The Member Hub platform monitors performance indicators such as disk, memory, compute, and logging issues, and automatically notifies Member Hub of issues.
Member Hub code undergoes automated testing and manual code review prior to being deployed to production. We receive regular notifications of vulnerabilities and patches on a continuous basis.
Databases run in the database layer in our Virtual Private Cloud, on a private subnet accessible only from the Member Hub platform.
Our database supports intermediate backups (e.g. write-ahead logs), Member Hub configures these intermediate backups through AWS to span at least the time between daily backups, to enable fine-grained, point-in-time disaster recovery. Full backups are taken daily and retained for a period of time outlined in the standard Service SLA.
AWS data centers are clustered into regions, and sub-clustered into availability zones, each of which is designed as an independent failure zone, meaning they are:
Member Hub is distributed across multiple availability zones within Sydney, Australia.