How does Member Jungle protect your data?
Data security is a major concern in today’s world. We now store a growing amount of personal information online, including home addresses, banking details, passwords, and much more. Given the increasing volume of sensitive data available on the internet, it is crucial to ensure that this information remains private and does not fall into the wrong hands.
Unfortunately, data breaches occur far too frequently. It seems that every few months, another business or organisation is hacked, resulting in personal information being compromised. This can cause significant stress, embarrassment, and various other issues for individuals whose data has been leaked.
This results in a lot of concern regarding data security and the protection of your data. Unfortunately, due to how some companies handle and protect their customers’ data, this concern is more than justified.
We want to take this opportunity to be transparent about our commitment to data security and explain the measures we take to safeguard both our customers' data and the data of their members.
As we go through this, I will split each section into “what we do” to keep your data private and “what you can do” to help keep your data safe. We could have the most secure system in the world, but if you don’t also take the necessary steps towards security, then it will all be for naught..
Member Jungle History Of Data Security
We have over 20 years of experience in the web hosting and security industry. Our hosting division, AusTiger Hosting, collaborates with government agencies and large organisations across Australia and the Pacific. We have undergone audits and received certifications from reputable authorities, including the ACT Government.
Data security is an integral part of our company's DNA; we remain vigilant and proactive in safeguarding our customers' data, fueled by a healthy dose of necessary paranoia to keep us at the top of our game.
Encrypting Your Data - What We Do
Member Jungle uses a variety of different methods to encode and protect your data. Not only do we adhere to the industry standards, but we go above and beyond and always apply the best practices, not just what is legally required of us.
Essentially, if the industry standard is to install a standard key lock on the door, we do that and then add a deadbolt for extra security, along with a metaphorical Rottweiler behind the door to ensure it is as secure as possible.
At Member Jungle, we use both Two-way Data Encryption and One-way Data Encryption to ensure the best level of security. Two-way encryption allows data to be encrypted, stored or transferred and then decrypted back to its original state. One-way encryption (or hashing) allows data to be encrypted but can never be returned to its original state.
Any data moving between our servers and your web browser or mobile app is completely encrypted. This is done using SSL web traffic encryption, which ensures the data is encrypted end to end, making it much more secure. We also encrypt the majority of data at rest. That is the data that is stored in the database used by your Member Jungle site.
When we only need to compare data, like a password, we just compare the hashed version of it. This is one-way encryption and provides a super-high level of security.
Encrypting Your Data - What You Can Do
Speaking of SSL web traffic encryption, please never, ever log in or access personal data if you don’t see https in the website URL, or the padlock indicator in your browser. These are all signs that your SSL is working correctly and encrypting your data. If you don’t see these and give your personal details anyway, you may be at risk.
Below is an example of this in action; this is the Member Jungle website, and as you can see, there is a little padlock symbol in the address bar.
On Google Chrome, there is a little icon with sliders on the left-hand side of the URL bar; if you click on this, you will get the same information. As seen below.
Passwords & System Access - What We Do
We have multiple layers of password protection, which we are constantly updating. All of our passwords are hashed. Hashed passwords are one-way encrypted and cannot be reverse-engineered. This means that no one in our organisation can determine an existing password. Membership administrators cannot see an existing password. No one can, even if they have access to the underlying data.
Accounts are locked after a number of password attempts to stop brute force attacks. Our systems can also detect other nefarious activities like multiple payment attempts and other commonly known industry hacks and then block the systems attempting these attacks.
Passwords & System Access - What You Can Do
We encourage all systems administrators and anyone who accesses your club’s data to have complex passwords. As an extra level of security, Two-Factor Authentication is about to be rolled out for all systems administrators.
We highly encourage the use of digital password safes like 1Password or LastPass. These applications allow you to use highly complex and safe passwords and alert you if passwords are discovered in any global data breaches.
It is important to never reuse passwords, and if you do, make sure the password to your email address is completely different from all your other passwords. Your email is your last line of defence, and if people can hack into it, then they can just use the ‘Forgot Password’ functions from all other systems you use to gain access to your accounts.
We also highly recommend the use of a service like Have I Been Pwned to track your organisation’s email accounts and be alerted if they have been exposed in a data breach.
Firewall Protection - What We Do
We use multiple levels of firewall protection for our systems and your data. As part of best practices, we use firewalls and intrusion protection systems from multiple vendors. Meaning that if one vendor has a bug or an issue that causes an issue with their firewalls, it will only affect one of the firewalls we use, all the others will be fine.
Firstly, we have protection from the general public from known locations and, in some instances, specific countries. In this first layer of protection, we are using dynamically adjusted protection from one of the largest internet providers using their latest systems. We are a hosting partner with this organisation and have close contact with them and their security teams. This level of protection also includes coverage of denial of services attacks and down to specific application attempts.
We also use this firewall system to protect between servers in our own closed environment.
The second and third level of protection is application level security. This means that every page view or data access is checked by both a third-party application firewall and then our own measures to inspect further what actions are attempted.
Architecture Designed For Isolation - What We Do
Since day one, the architecture of the Member Jungle system has been designed to separate authentication systems, web servers, application servers, and database servers. Therefore, in the unlikely event that anything is penetrated, there is complete isolation, and the risk is massively minimised.
Essentially, like modern ships having multiple bulkheads, if one is damaged and water makes it inside, the rest of the compartments will stay watertight and keep the ship afloat. If there is an issue or hack into one Member Jungle system, all the other systems will stay safe and remain unaffected.
Any APIs (Application Program Interfaces) we use are double-handshake authentication, meaning that both ends have to correctly authenticate before data is exchanged. For reference, the Optus data breach that happened a few years ago had no authentication whatsoever. It’s the difference between personally handing your child over to your parents so they can babysit for the night and setting your kid free in the street before yelling, “go find grandma” as you drive off. One is far more secure than the other.
Our hosting architecture can only be accessed by a small number of the Member Jungle team using our VPN with separate levels of authentication via access key encryption and then password access.
Online Payments - What We Do
The Member Jungle payment gateway is built on top of the Stripe payment gateway. Stripe is one of the leading global payment gateways and has bank-level protection for data. They have the highest level of PCI Certification (Payment Card Industry).
Within the processing step of a transaction processed via Stripe there are additional fraud checks done against that card and the nature of the transaction.
Member Jungle stores no credit or payment data on our systems. If a member ‘stores’ or saves their credit or debit card, all information is stored at Stripe (with all their protection), and we only store a link that can be used to charge that card for future transactions and only from your Member Jungle website.
We also limit the number of payments, successful or not, that can be transacted in a period of time.
More details about Stripe and their security, please read Security at Stripe.
General Obfuscation - What We Do
The other thing we have learnt over the years is not to get too specific about what we do with security. In this article, we have given an overview of what we do to rest your mind, but we have intentionally not named specific vendors or approaches we take. The less the bad guys know, the more secure the system and hence your data.
Our approach is to always use the best-in-class software systems and vendors. We work closely with our key vendors as vendor-developer partners, so we have additional access to their experts.
Storage Of Identification Documents - What We Do
We at Member Jungle never store any of your or your members’ identification documents. We do not store driver's licences, passports, health cards or any other identification documents at all for our clients.
If you ever have provided, or need to provide, identification for a payment gateway account, that information is not stored on our servers. It is used by Stripe to satisfy banking regulations, 100 point ID checks, and then destroyed.
Storage Of Identification Documents - What You Can Do
In order to help keep your members’ identification documents safe please don’t collect their identification documents. Although it is possible for you to do this without our knowledge using a membership form image upload, and it will be encrypted, don’t do it. It puts you and your members at risk.
Member Jungle Data Security FAQs
Do You Share Information With Anyone Else?
No. Member Jungle will never share any member data with any third-party organisation. Not specific data, not rolled up data, not anonymised data. Nothing.
Your data is your data, not someone else’s. One of the driving forces behind Member Jungle is our obsession with privacy and hatred of internet systems, especially social media organisations, who share your data and/or use it for advertisers.
We will never do that.
For more information about this, please read Keeping Your Club’s User Data Private.
Will You Advise Us If There Is A Breach?
Of course. Immediately.
One of our core values is to ‘Be Transparent’, internally and externally. We will let you know the extent of the issue, and we will also work with the Australian Cyber Security Centre to address it.
So Our Data Is Safe And Never Will Get Hacked?
Unfortunately, we can’t guarantee that we will never be hacked. We wish we could, but there is nothing for certain in this world but death. Anyone who tells you they can’t be hacked is lying. If you ever hear someone claim to be unhackable, that should raise alarm bells. NASA gets hacked, Banks get hacked, and Telecommunications companies get hacked. Even the NSA has been hacked.
Despite this, we have gone through very significant steps to protect you and your club and have specific internal and external monitoring and logging systems in place for detection. We can’t guarantee we will never be hacked, but we can guarantee we will make it as difficult as possible.
As I said at the start of this article, we are paranoid, and we have to be; the “bad guys”, for lack of a better phrase, are always improving so we need to as well.
What Else You Need To Know About Data Security With Member Jungle
For more information on how SSL certificates protect your club’s information and why you need one, please read Why SSL for Your Website is Critical.
For more information about protecting your club’s data, read Keeping Your Club’s User Data Private.
-
What Are Member Jungle’s Service Fees?
15th November 2024
I know that a title like that is sure to invoke yawns and eye rolls from everyone who reads it, and while I can’t deny that service fees aren't exactly the most exciting
... more -
Your Club’s Product Store Is Now On The Mobile App
24th January 2024
It’s funny how the norms of technology change; I can distinctly remember, as a kid, recording songs off the radio onto a cassette so I could listen to them on my Walkman on my way to school.
... more -
What is Membership Management Software
24th March 2023
Why Your Club Needs To Ditch The Pen And Paper In 2023
Do you ever feel like being part of a club is more work than fun?
Like you're always bogged down by paperwork,
... more