Security at VIP

We take security seriously here at VIP, applying the best practices we’ve developed in safeguarding the largest WordPress instance in the world at WordPress.com to protecting your sites and applications.

Compliance Certifications

All of our origin data centers maintain SSAE16 SOC 1, SSAE SOC 2 certifications. In addition, the VIP Cloud Hosting Service, under which we act as a data processor, is certified under the EU-U.S. Privacy Shield Framework and the Swiss–U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce.

Security Features

  • Data encryption in transit from edge to origin, with options for encryption at rest
  • Network and host based firewalls with real time notification processes
  • SAML-based SSO
  • DDoS protection
  • SSL and HTTPS for all authenticated customer access to our services
  • Owned and operated, globally distributed CDN
  • Logging and Auditing at the application, web server, load balancing, database, and operating system layers

Data Security

  • Application: Each WordPress instance on the VIP Cloud Hosting Service runs within its own isolated, containerized environment and cannot interact with other applications or areas of the system. These containers isolate processes, memory, as well as the file system.
  • Database: Databases are set up per application to help mitigate the risk of unauthorized access between applications and each database requires its own unique authentication.
  • Customer Data Access: Normal operations of the VIP Cloud Hosting Service include application support in the form of troubleshooting, platform upgrades, testing, and code review. Customer data is access controlled and is designed to be limited to those Automattic employees performing such activities.

Vulnerability Management

  • Patching: We actively monitor for security patch releases, and apply all identified patches where appropriate to all operating systems, applications, and network infrastructure to mitigate exposure to vulnerabilities. We prioritize patching based on severity and impact on our customers’ security.
  • Security Testing: We perform regular internal security testing and engage with third parties to perform application and network vulnerability assessments.
  • Penetration Testing: We are happy to work with customers who are interested in performing their own independent penetration testing.
  • Bug Bounty: Automattic operates a bug bounty program via HackerOne to reward those who find bugs and help improve the security of our applications.
  • Viruses/Malware: Automattic makes available anti-malware controls to help safeguard your code.
  • Personnel: Our security team is lead by our Security Czar and comprises staff responsible for Automattic’s application and information security. This security team works directly with Automattic’s product teams and their customers to address risk and maintain Automattic’s strong commitment to keeping our clients’ products safe.

Physical Security

Our servers are co-located in data centers designed to meet the regulatory demands of multiple industries.

Our origin servers meet the International Organization of Standardization (ISO), International Electrotechnical Commission (IEC) 27001 certification, Standards for Attestation Engagements (SSAE) No. 16 (SOC1) and SOC2 Type 2, and ongoing surveillance reviews. All servers are housed in dedicated cages to separate our equipment from other tenants.

Automattic limits access to facilities where information systems that process Customer Data are located to identified authorized individuals.

We use a variety of industry standard systems to help protect against loss of data due to power supply failure or line interference.

Backup and Recovery

Our backup systems are designed to back your site data up on an hourly basis.

Automattic maintains emergency and contingency plans for the facilities in which data is located. These plans include redundant storage and recovery procedures designed to attempt to reconstruct data in its original or last-replicated state from before the time it was lost.

As a client, you may choose to delete content published on Automattic’s service. Upon deletion Automattic will clear deleted content from its internal cache within 2 business days, but deleted content may not be cleared as quickly from external caches (for example, Google search index). You may also request deletion of any personal data (for example, usernames and addresses) that it provided to Automattic and/or stored on Automattic.

Let's Talk Security

We love talking about security, our approach to safeguarding data and systems, and emerging industry standards and best practices. If there’s anything you’d like to know more about, please drop us a note.