Skip to main content

Built on trust

Security at Unmand

At Unmand, security has been a foundational focus from day one. We are continually working on new ways to ensure all data transmitted or stored is handled securely. Here are some of the ways we keep you and your data safe.

Download Whitepaper
Security Hero Image

Product Security

Encryption

Encryption

Unmand encrypts all databases at rest with AES-256 encryption. Additional column level encryption is undertaken on sensitive customer data for an added layer of protection.

Session management

Session management

The location and IP address of each session is recorded, and you can revoke any sessions you don't recognise. Administrators can review all active sessions in the Unmand portal.

IP restrictions

IP restrictions

Protect your projects against unauthorized use by restricting access to a set of trusted IP addresses using an IP allowlist. You can define one easy-to-maintain allowlist for the entire organisation.

Secure connections

Secure connections

Unmand forces HTTPS for all services using TLS 1.2 (SSL), including our public website and the customer portal. Unmand use HSTS to ensure that all communications between your browsers and Unmand are encyrpted.

Access and account controls

Access and account controls

Access to data within Unmand’s portal is governed by role and project-based controls and can be configured to define granular access privileges. There are permission levels for read, write and administrator.

Password and sensitive data

Password and sensitive data

Unmand employs a strong password policy based on algorithmic complexity. This is a more secure, flexible, and usable alternative to password composition policy. Any sensitive information is stored as a one-way cryptographic hash using a enterprise-grade ciphers.

Two factor authentication

Two factor authentication

A second layer of security to protect access to your Unmand account, we support the Time-based One-time Password (TOTP) approach which requires you to use a compatible smartphone app such as Google Authenticator, Authy or 1Password.

Audit and logging

Audit and logging

We maintain comprehensive logs of all activities and actions for each product. These logs can be used for your audit purposes or internally at Unmand for troubleshooting and support requests.

Physical Security

Infrastructure

Infrastructure

Unmand's physical infrastructure is hosted and managed within Amazon’s secure data centers and utilize the Amazon Web Service (AWS) technology. All our production systems are physically located in Australia or the USA. Amazon continually manages risk and undergoes recurring assessments to ensure compliance with industry standards. Amazon’s data center operations have been accredited under:

  • ISO 27001
  • SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
  • PCI Level 1
  • FISMA Moderate
  • Sarbanes-Oxley (SOX)

On-site premises

On-site premises

Access to Unmand’s offices is restricted to authorised personnel. Unmand deploy several security features such as individualised swipe card access, security video feeds, intrusion detection technology, and other security measures.

Data Security

Data Ownership

Data Ownership

Your data 100% belongs to you. Unmand does not sell your data to third party providers. Unmand has a published privacy policy that clearly defines what data is collected and how it is used. We will never sell or transfer your data to a third party without your consent. For additional information see: https://unmand.com/privacy

Data Retention

Data Retention

You can control the retention period for your data directly in the Unmand portal. This can be set from no data retention up to 90 days.

Data Backups

Data Backups

Daily snapshots are retained for 30 days to support point-in time recovery and are encrypted using AES-256 encryption. Backups are replicated to multiple data centres within a particular region.

General Data Protection Regulation

General Data Protection Regulation

Unmand is committed to compliance with GDPR and have implemented a wide range of technical and organisational measures. This includes the ability for customers to delete information and data uploaded to any of Unmand's product.

Personnel Security

Background Checks and Access

Background Checks and Access

Each team member has an extensive background check and undergoes comprehensive training on data security protocols. Only a limited number of staff members can access customer data.

Confidentiality Agreements

Confidentiality Agreements

All employees are bound by non-disclosures and confidentiality agreements.

Continuous Education Campaign

Continuous Education Campaign

Unmand provides staff with continuous communication on emerging threats, performs phishing awareness campaigns, and communicates with staff regularly.

Security Champion Program

Security Champion Program

Unmand nominates a security lead within every one of our product and service teams. Champions are provided with dedicated training to help them understand and identify application security vulnerabilities and leading secure development practices.

Quality Controls

Peer Code Reviews

Peer Code Reviews

Every code release is reviewed by peers, whether it’s a new feature or bug fix. Security reviews are performed as part of our software development sprint management and software dependencies are automatically scanned for vulnerabilities and security updates.

Continuous integration and delivery

Continuous integration and delivery

Every code release is automatically subjected to a pipeline of rigorous tests and analysis before it is deployed. Our continuous deployment system and development process allow us to rapidly update and patch our system whenever needed.

Payment Security

Payment provider

Payment provider

Unmand use Stripe for processing credit card payments. Stripe is certified to PCI Service Provider Level 1. This is the most stringent level of certification available in the payments industry.

Credit cards

Credit cards

Unmand does not store your credit card information. Credit card information is handled by Stripe with all card numbers encrypted at rest using AES-256. Decryption keys are stored on separate machines.