Skip to main content

Keeping Your WildApricot Account Secure

Although security threats are a fact of life in today's digital world, since the release of WildApricot in 2006 we have been constantly reviewing and improving our security processes.

Security Team

In order to provide information security, there is a dedicated group of specialists in WildApricot - the Security Team.

WildApricot's Security Team has extensive experience in finding vulnerabilities, allowing us to prevent threats before they occur. Applying both offensive and defensive security measures, we provide an integrated approach to WildApricot security on all levels.

Offensive security processes include:

  • Infrastructure penetration test.
  • Web application penetration test.
  • Lock and Key Icon
  • Social engineering - in the context of information security, this refers to the psychological manipulation of people into performing actions or divulging confidential information.
  • Security intelligence - this is an integrated approach, with combined processes and methods of collecting and analyzing data related to the company's information security.

Defensive security processes include:

  • Security forensics - when a serious incident occurs, we start a security investigation.
  • Infrastructure security hardening.
  • Security monitoring (alerts and notifications).
  • Security review of all new features.
  • Security awareness trainings.
  • Security compliance (PCI DSS, GDPR).
  • Vulnerability management.

WildApricot Product Security

Before we release new features and functions, the Security Team always reviews their safety using OWASP Top 10 and OWASP Testing v3 methodologies. In case of any security flaws, the Security Team can postpone the publication of the feature until it gets fixed by developers.

In addition, the Security Team conducts penetration tests. This is an evaluation method where real-world hacker attacks are simulated in order to improve understanding of the system, to discover vulnerabilities, and to enhance security. WildApricot follows the testing processes described in NIST Special Publications 800-115 Technical Guide to Information Security Testing and Assessment.

In addition, we have also been working to develop special software - Security Operation Center - to automatically detect attacks and correlate security events from various systems (Windows, Linux, Network, Social).

Laptop Icon

External and internal penetration tests are performed systematically. An external test should assess any unique access to the scope from the public networks, including services that have access restricted to individual external IP addresses. Both internal and external testing must include application-layer and network-layer assessments. External penetration tests must also include remote access vectors such as dialup and VPN connections. Upon completion of the analysis, the tester will generate a report that identifies system, network, and organizational vulnerabilities along with recommended mitigation actions.

The Security Team monitors all vulnerabilities that need to be fixed. When the vulnerability is fixed, the crew reviews it again. After a successful review, the Security Team approves the feature or function for release.

Your Data Belongs to You

We comply with the requirements of the GDPR. The General Data Protection Regulation (GDPR) came into effect on May 25th, 2018. This law is designed not only to protect the personal data of EU citizens, but also to increase the organization's level of responsibility. Any organization or service that keeps, uses, and stores personal data of EU citizens is affected by the law. Many of the GDPR requirements do not relate directly to information security, but in order to comply with this law, companies should review their existing security processes.

For more information about GDPR compliance, visit https://www.wildapricot.com/dpa.

For more information on how WildApricot deals with your data, see our Privacy Policy.

Special Attention to Your Payments

Credit Card Icon

PCI DSS is the Payment Card Industry Data Security Standard (for more detailed information visit https://www.pcisecuritystandards.org/document_library). Complying with the requirements of this standard assures customers that their payment transactions will be secure. WildApricot complies with PCI DSS standard requirements. We do not store payment data of clients. We only transfer them to accredited payment gateways and monitor PCI Compliance of these gateways.

Servers conducting payment transactions (servers from which the payment data is sent) pass an annual certification for compliance with PCI DSS. WA successfully completed the evaluation for 2024. For more information, please visit https://www.wildapricot.com/security-policy-overview..

Mobile App Screen

You Decide Who Has Access to Your Account

You decide who to grant administrative rights to, and what level of access to assign to each administrator. Do not provide administrator roles without a real need - try to limit access as much as possible to keep your account secure. For more information on access rights, and administrator roles, see https://gethelp.wildapricot.com/en/articles/50.

Mobile App Security

We care about the security of WildApricot's mobile applications - the app for admins and the app for members. The WildApricot mobile applications interact with the API only using the secure HTTPS protocol. In this case, all access checks occur on the server side and the user can not assign authority. For detailed information about API access parameters, see https://gethelp.wildapricot.com/en/articles/484-api-access-options.




Company-wide Security

By default, we treat all client information as confidential and use common rules and recommended security requirements for the entire company. Here are just a few of them:

  • We are very cautious about confidential information on any channel. If we have any doubts, we communicate face to face or use a phone call.
  • Inside the company, we use special software to manage sensitive data and credentials. It allows us to store data without exposing them to the outside world through emails, text messages or any other vulnerable channels.
  • The Security Team monitors people's access to various data and internal systems. Access to all systems is granted to WA employees selectively depending on the tasks performed.

In Conclusion

The Security Team follows the standards of world class security practices and tries to apply them on all possible levels in WA security. We update, develop or completely re-create security processes whenever we find any shortcomings.