Digital Garden has rigorous security protocols that ensure we are developing our client products with the highest levels of security. It all begins with our team personnel:
- Employee background, security & criminal checks, including an Australian Federal Police (AFP) National Police Check and through the Australian Government Security Vetting Agency (AGSVA)
- A dedicated Chief Security Officer role, who regularly reviews and audits security procedures and protocols with our third-party cyber security consultancy
- Digital Garden employees undergo regular security awareness training. Topics include recognising suspicious emails, links and attachments
Operational security for client products & systems
Digital Garden vigilantly monitors:
- Logs of access to its clients’ content management systems via Drupal Reports, Bitbucket code repositories via Atlassian Access and development environments via Platform.sh console
- Drupal.org updates on module and security patches needing to be applied
- Any unusual activity on our client CMS or hosting environments
Security for systems & tools
For the tools we use day to day, we ensure all necessary measures are implemented, such as:
- Multi-factor authentication (MFA/2FA)
- Enforcement of strong passwords
- Regular expiring of passwords
- Adhering to the use of our password manager of choice
- Daily backups of all sites, code and design files
- Administrative access on the principle of least privilege
Security of physical premises & workplace devices
Digital Garden has the following measures in place in our offices and agency-issued devices:
- Access control to our premises
- Monitoring of our premises via CCTV
- Password-protected device, configured to encrypt data at rest (such as FileVault on our majority Apple devices)
- Enforcement of strong passwords
- Automatically locking devices when idle for a short period of time
We request that personal mobile devices of our employees that may be used to authenticate during MFA logins must be either password or biometric protected.
Infrastructure & data security at Platform.sh
Our primary hosting infrastructure provider Platform.sh is a managed cloud platform whose security measures include:
- Auto-redundant architecture
- DDoS prevention via a multitier CDN
- Server-hardening measures
Data security, encryption & retention practices
Our data encryption and retention practices include:
- All change and new feature developed by Digital Garden on a client’s digital product is strictly governed by our code change management policy
- Our repositories are encrypted at rest (AES-256) and encrypted in transit (TLS 1.2+) so our clients’ code is always secure
- Developer access is by predefined IP addresses that our developers access from and require use of multi-factor authentication
-
We encrypt all sensitive and PII data collected by any of our client’s digital products
