Endurance Information Security Program Overview

The Endurance International Group, Inc. and our subsidiaries (“we,” “us” or “Endurance”) take the security of customer data seriously. We have implemented internal policies and controls to try to ensure that customer data is protected and only accessed by authorized Endurance employees in the performance of their duties. Where Endurance engages third parties to process customer data on its behalf, they do so in accordance with our written instructions under a duty of confidentiality, and they are required to implement appropriate technical and administrative measures to ensure the data is secure.

More specifically, Endurance maintains: confidentiality by ensuring that only people who are authorized to use the data can access it; integrity by ensuring that data is accurate and suitable for the purpose for which it is processed; and availability by ensuring that authorized users are able to access and use the data they need for authorized purposes in a timely and reliable manner.

Endurance takes a ‘defense in depth’ approach to secure data on multiple levels, including physical, network, host, software, and user account security, each as further discussed below.

Physical Security

Physical access to Endurance’s hosting environment is restricted to specific individuals and uses multiple levels of security as follows:

  • Endurance servers and infrastructure are located in secure data centers where access is limited to authorized personnel and badge access or biometric authentication (e.g., hand scanners and fingerprint IDs) are required to access the facilities.
  • Endurance servers are isolated and secured within the data center in areas dedicated to Endurance equipment only; these areas are not shared with third parties.
  • Access to data centers and hosting systems are regularly reviewed by Endurance’s data center operations team to assure that only authorized users have access.
  • 7×24 security guards perform random checks of the data center to ensure physical security controls have not been compromised.

Network Security

  • Endurance requires that network communications adhere to the principles of data confidentiality, integrity, and availability discussed above.
  • Endurance’s hosting environment is protected from the public Internet and corporate Local Area Network (LAN) via multiple next-generation firewalls and is monitored by an intrusion prevention/detection system, including a strategically placed distributed denial of service mitigation system.
  • Endurance requires that information is handled with appropriate levels of encryption in accordance with our policies and standards and to comply with applicable laws.

Customer Hosted Environment Security

  • Endurance performs industry-standard security hardening efforts — more specifically, critical systems are hardened and configured per industry best practices as defined by the Center for Internet Security (CIS).
  • Endurance regularly reviews information on current security vulnerabilities, including vendor announcements and other industry sources. If security updates are determined to be critical to the Endurance environment, they are tested and deployed in a timely manner.
  • Customer hosting systems and services are routinely monitored for integrity and availability. Operations staff review alerts generated by monitoring systems and respond promptly.
  • Customer hosting systems are monitored 24×7 for malicious activity.
  • Administrative access to Endurance’s infrastructure is limited strictly to authorized users with multi-factor authentication. Individual usernames and passwords are required for machine and data access.
  • Endurance adheres to strong password guidelines, including complexity and minimum length requirements. Passwords are expired and changed on a regular basis.

Software Security

  • Internally developed code is subject to Endurance’s secure coding guidelines, which includes testing of functionality and business logic, and for security flaws. In addition, our Change Management Policy ensures that code deployed to the production environment has been appropriately tested, reviewed, and approved.
  • We train our engineers in secure coding and architectural design patterns such as those outlined in the OWASP Top 10, CIS Critical Security Controls, and NIST frameworks.
  • As part of Endurance’s ongoing PCI compliance, we regularly undergo security reviews, including external and internal scanning for vulnerabilities on an ongoing basis. All vulnerabilities discovered are reviewed by internal security and addressed in accordance with the level of severity.

Incident Management

  • Endurance has a documented Cybersecurity Incident Response Plan, a 24×7 Command Monitoring Center, and an industry-leading incident response third party on retainer.
  • The Cybersecurity Incident Response Plan undergoes annual tabletop testing and is updated as necessary.

Personnel Security

  • Endurance employment offers are contingent upon successful completion of a criminal background and reference checks where allowed by law.
  • Upon commencing employment, all Endurance employees receive information security training and are contractually obligated to confidentiality clauses to ensure that they adhere to Endurance’s commitment to security and confidentiality.
  • Endurance’s information security awareness and training programs require employees to complete annual security refresher training.

Patch Management

  • Where feasible, system components and software are protected from known vulnerabilities by applying the latest vendor-supplied security patches.
  • Endurance systems are routinely updated per vendor recommendations and industry standards.

Virus/Malware Management

  • Endurance uses up to date virus scanning software for detecting currently known malware.
  • Malware definitions are updated daily and installed as required.
  • Operations teams monitor the Endurance hosting environment 24×7 for malware infections.

Questions

Email security@endurance.com and we’ll get back to you as soon as we can.