Security

Security at Practice Ignition

The security of your data is of utmost importance to us here at Practice Ignition. Security maintenance includes:


Encryption

All customer interaction with Practice Ignition servers is encrypted through the use of SSL. Our SSL certificates use 256-bit encryption to protect your data. Data is encrypted at rest with AES-256, block-level storage encryption.


Disaster Recovery

Data is backed up offsite daily for recovery from disasters. Daily logical backups are retained for 7 days. Our provider offers a continuous protection mechanism of disaster recovery and our recovery point objective (RPO) in the event of disaster is within 24 hours. Due to our multi-tenanted environment we haven’t set an RTO.


Data Retention and Location

Practice Ignition stores the minimum amount of data required in order to provide our services. Customer, proposal and pricing data must be stored by Practice Ignition, but credit cards details are stored by PCI compliant service partners.

Practice Ignition securely and indefinitely retains data unless deletion is requested by the principal of the account. Servers housing data are located within the United States of America.


Financial Security

Credit card details are never stored by Practice Ignition. Credit cards are transmitted directly to our payment providers over SSL connections and are not logged or stored in Practice Ignition systems.

Subscription payments are processed by Recurly, a PCI-DSS Level 1 compliant service provider.

Customer payments are processed by Stripe, a PCI-DSS Level 1 compliant provider. Practice Ignition connects to Stripe using TLS and captures details via Stripe Elements/Stripe.js. PCI SAQ-A attestations are completed annually can be made available on request.


Password Security

Password security is maintained through minimum passwords lengths and automatic lockout on repeated login failures.

To maximise your safety, Practice Ignition recommend your password be at least 10 characters with a mixture of letters, numbers and punctuation characters. We recommend that the password you use for Practice Ignition is unique and not used for any other web sites. A password manager such as 1Password or LastPass is recommended to manage your passwords.

No plain text passwords are stored at any time.


Physical Security

Practice Ignition's production systems run on Heroku, a popular cloud computing platform. Heroku's security policy details the physical, network, system and data security they provide.


Network Security

Practice Ignition undertakes annual penetration testing provided by Synopsys.

Practice Ignition has implemented technologies to reduce the impact of DDoS attacks provided by Cloudflare.


Vulnerability Management

Software libraries used by Practice Ignition are actively kept up to date. Any security fixes or patches are treated as top priority and are applied as quickly as possible - normally within 24 hours of public release.


Accreditation

Practice Ignition is not ISO or SOC accredited. Please review our sub-processor list for details of sub-processor accreditations.


Support and Development

Application development activities are located within Australia and occur primarily within Australian business hours. Our current infrastructure does not require scheduled maintenance down-times, but we reserve the right after providing 24 hours notice.

Support activities occur globally and current hours of operation are 9 am Monday to 11 am Saturday AEST. No official SLAs are offered, but we endeavour to respond to all support queries within 24 hours.