Security at Unmand

Unmand encrypts all databases at rest with AES-256 encryption. Additional column level encryption is undertaken on sensitive customer data for an added layer of protection.

The location and IP address of each session is recorded, and you can revoke any sessions you don't recognise. Administrators can review all active sessions in the Unmand portal.

Protect your projects against unauthorized use by restricting access to a set of trusted IP addresses using an IP allowlist. You can define one easy-to-maintain allowlist for the entire organisation.

Unmand forces HTTPS for all services using TLS 1.2 (SSL), including our public website and the customer portal. Unmand use HSTS to ensure that all communications between your browsers and Unmand are encrypted.

Access to data within Unmand's portal is governed by role and project-based controls and can be configured to define granular access privileges. There are permission levels for read, write and administrator.

Unmand employs a strong password policy based on algorithmic complexity. This is a more secure, flexible, and usable alternative to password composition policy. Any sensitive information is stored as a one-way cryptographic hash using enterprise-grade ciphers.

To provide a second layer of security to protect access to your Unmand account, we support the Time-based One-time Password (TOTP) approach which requires you to use a compatible smartphone app such as Google Authenticator, Authy or 1Password.

We maintain comprehensive logs of all activities and actions for each product. These logs can be used for your audit purposes or internally at Unmand for troubleshooting and support requests.

Unmand's physical infrastructure is hosted and managed within Amazons secure data centers and utilize the Amazon Web Service (AWS) technology. All our production systems are physically located in Australia or the USA. Amazon continually manages risk and undergoes recurring assessments to ensure compliance with industry standards. Amazon's data center operations have been accredited under:

• 
  ISO 27001
• 
  SOC 2
• 
  PCI Level 1
FISMA Moderate
+ Sarbanes-Oxley (SOX)
+ more

Access to Unmand's offices is restricted to authorised personnel. Unmand deploy several security features such as individualised swipe card access, security video feeds, intrusion detection technology, and other security measures.

Your data 100% belongs to you. Unmand does not sell your data to third party providers. Unmand has a published privacy policy that clearly defines what data is collected and how it is used. We will never sell or transfer your data to a third party without your consent. For additional information see: https://unmand.com/privacy

You can control the retention period for your data directly in the Unmand portal. This can be set from no data retention to up to 90 days.

Daily snapshots are retained for 30 days to support point-in-time recovery and are encrypted using AES-256 encryption. Backups are replicated to multiple data centres within a particular region.

Unmand is committed to compliance with GDPR and have implemented a wide range of technical and organisational measures. This includes the ability for customers to delete information and data uploaded to any of Unmand's product.

Each team member has an extensive background check and undergoes comprehensive training on data security protocols. Only a limited number of staff members can access customer data.

All employees are bound by non-disclosures and confidentiality agreements.

Unmand provides staff with continuous communication on emerging threats, performs phishing awareness campaigns, and communicates with staff regularly.

Unmand nominates a security lead within every one of our product and service teams. Champions are provided with dedicated training to help them understand and identify application security vulnerabilities and leading secure development practices.

Every code release is reviewed by peers, whether it's a new feature or bug fix. Security reviews are performed as part of our software development sprint management and software dependencies are automatically scanned for vulnerabilities and security updates.

Every code release is automatically subjected to a pipeline of rigorous tests and analysis before it is deployed. Our continuous deployment system and development process allow us to rapidly update and patch our system whenever needed.

Unmand use Stripe for processing credit card payments. Stripe is certified to PCI Service Provider Level 1. This is the most stringent level of certification available in the payments industry.

Unmand does not store your credit card information. Credit card information is handled by Stripe with all card numbers encrypted at rest using AES-256. Decryption keys are stored on separate machines.