Data and Encryption Policies
- Secure Data Transaction
- Secure Hacker Protection
- Secure Data Availability
- Secure Data Centers
Certifications and Assessments
ISO 27001:2013 CERTIFIED
We are certified with Symantec for the most secure network protection in the world through SSL. SSL stands for Secure Socket Layer. It is a security protocol that conveys your communications over the Internet in an encrypted form. SSL encoding is commonly employed by eCommerce websites to protect sensitive information such as credit card numbers or personal data. SSL certificates ensure that information is delivered to the server for which it was intended, without falling into the hands of third parties who could tamper with the data. You’ll recognize sites that have a SSL certificate by the URL https, rather than the unsecured http, plus the padlock icon that appears in your browser’s address bar. 1&1 offers QuickSSL certificates for your domain, read on to find out why ordering a SSL certificate is the right choice for you.
Vulnerability Detection and Penetration Tests
Our security company Sucuri regularly performs security vulnerability detection and penetration tests. Our security team receives immediate updates of various threats, so it can be resolved automatically, or by an update in our security certificates.
We have all heard about hackers crippling the websites of various companies and organizations. These are known as distributed denial of service (DDoS) attacks. Our webhost detects such attacks early and implements the necessary counter-measures to keep your data safe and available.
All 1&1 shared hosting products run in parallel at two separate data centers. In the event of a problem at one data center, the system automatically switches to the second, ensuring your data remains available. In addition, daily backups are made with a third system, guaranteeing 99,9% data availability.
Where is my data hosted?
All user data stored in various locations in the EU
All emails are sent using Gmail through Google Services. Email and correspondence content is stored within US regions of Google Cloud Storage (“GCS”). ’s production environment is hosted on Googles platform. User content can also be found in backups, stored with Google.
Customer data is not replicated onto employee workstations or mobile devices.
Secure Data Centers
1&1’s data centers are among the safest and most modern in the US and the EU. Thanks to multiple redundant connections to major Internet hubs, 1&1 offers close to 100% availability. Sophisticated security measures also ensure data protection according to the highest standards as our data centers and networks are ISO 27001:2013 certified through TUV.
Separate and distinct production, staging, and development environments are maintained, and production data is not replicated outside of the production restricted environments. No data is stored on production environments.
Our webhost detects such attacks early and implements the necessary counter-measures to keep your data safe and available. Our internal office network, is protected by firewalls, there is no outside access into our internal network.
SAML 2.0 SSO is supported for customers. We requires a minimum of 8 characters. Repeated failed login attempts trigger a 30 second lock before a user can retry. Passwords are stored in a hashed form and will never be sent via email—upon account creation and password reset, we will send a link to the email associated with the account that will enable the user to create a new password.
Password complexity and session length requirements cannot be customized within the app. However, these can be set within an IdP for an SSO-enforced team.
All customer data is considered highly sensitive and protected and access is least privilege. Only authorized and trained members of the team have direct access to production systems and user data. Those who do have direct access to data are only permitted to view it in aggregate or for troubleshooting purposes. User data is only viewed by employees for troubleshooting purposes when consent has expressly been provided ahead of time by the account owner or team administrator.
There is not much data stored on our servers, except for customer name, and email address or purchase history. Therefore our customers trust there is no sensitive data kept on our servers or databases.
Trained members of the customer support team have case-specific, limited access to user data through restricted access customer support tools. Customer support team members cannot review user-generated content without an express and revocable grant of permission. When a user submits a support ticket, they have the option of authorizing the customer support team to view their data. The Support team will only receive access to the account if it is explicitly granted by the user, either by selecting the “Give support staff temporary access to your account” option when submitting a help request, or by clicking a link sent to the user’s email by the Support team. Only after authorization has been provided by the account owner will members of the support team use their account view tool to view the account owner’s data. The account owner can revoke access at any time. Upon role change or leaving the company, or before firing, the production credentials of employees are deactivated, and their sessions are forcibly logged out. From there, all accounts are removed or changed.
Third Party Access
Select customer data in very limited cases is shared only with third parties service providers acting as our agent (a user’s email address for an email delivery provider, for example) and in strict compliance with customer agreements.
Customer data is never to be replicated outside of the production environment and is never to be replicated onto employee workstations.
Corporate Environment and Removable Media
Strict firewall rules prohibit access to necessary ports for the usage of the service (e.g., 443), to ensure limited access to the production environment to our in house network and authorized systems. The corporate network has no additional access to the production environment.
Production customer data is never to be stored on employee workstations or removable media. Employee devices are required to time out and lock after a maximum of ten minutes of inactivity. does not have a clean desk policy.
We use industry standard Transport Layer Security (“TLS”) to create a secure connection using 128bit Advanced Encryption Standard (“AES”) encryption. This includes all data sent between the web, iOS, and Android apps and the servers. There is no non-TLS option for connecting to . All connections are made securely over https.
Encryption At –Rest
Data drives on servers holding user data use full disk, industry-standard AES encryption with a unique encryption key for each server.
Encryption on Mobile Devices
To be clear, while customer data is never to be stored on the workstations or removable media of employees, some data may be stored in an unencrypted form on the phones of users who are using the iOS and Android apps that view booking information. For both operating systems, if someone can get around the native operating system sandboxing because of a compromised or rooted device or the like, additional measures that could be taken within the application could be easily circumvented at that point.
Removing/Deleting Data from
Production customer data is never to be replicated outside of the production cloud environments and is never to be stored on employee workstations or removable media. On customer deletion request, total data is deleted except for purchase history or email correspondence.
Upon account creation, users are asked for a username, full name, and email, though these do not need to be verified.
Backup, Business Continuity, and Disaster Recovery Policy
Data entered into is backed up regularly through 1and1. All backups are encrypted and stored to ensure that they are available in the unlikely event that a restore is necessary.
All backups are immediately encrypted with 256-bit AES encryption using GNU Privacy Guard (“GPG”) with a password-protected symmetric cipher. Encrypted backups can only be decrypted by members of the operations team who have received training and have been authorized to decrypt the backups.
Because user data is on a shared infrastructure, it is not uniquely identifiable. As such, it is not possible for us to recover a subset of that information from backups. If a user is particularly concerned with maintaining a complete record of their information in , we suggest you frequently export your data or use our API5 to connect a DLP tool to .
A rolling live replica of ’s primary database is constantly being taken on a 1-hour delay. Additionally, a full backup snapshot of the primary database is taken once every 24 hours.
All backups are retained on the following schedule and at the following locations:
- Internal firewall backup server
Only authorized members of the operations team have access to the backup locations, so that they are able to monitor the performance of the backup processes, and in the very unlikely event that a restore becomes necessary. After 90 days, the encrypted backup files are destroyed.
If you need to report any security issues, please contact us here