DATA SECURITY AND CONFIDENTIALITY
At Member Splash the security and confidentiality of our customers’ data is our number one priority. We have documented the key elements of our practices below but above all else, we never collect or store critical personal data. The way our system is designed all financial information (credit card numbers, etc.) is entered directly into secure third-party payment processing systems (like PayPal). Our system only receives and stores confirmation of payment. Similarly, we do not collect or store social security numbers, driver’s licenses, etc. In short, our strongest defense against a potential security breach is that there is nothing secure for a thief to steal (unless they really want to know who is enrolled in the Mermaids Aqua Aerobics program!).
Member Splash is run on cloud servers from Digital Ocean. Their security policies can be found here: https://www.digitalocean.com/security/ Our accounts are secured in the following ways:
- One-way Encrypted Passwords: Member account passwords are stored encrypted. Not even our own staff can view or recover them – we can generate a new temporary password for an account if needed though.
- SSH Keys: Connecting to our servers (to upload a software update, for example) requires a unique, encrypted key on the developer’s computer.
- IP Whitelisting: Connection to our servers is allowed only from specific IP addresses. Any attempt to connect from a non-white listed address is blocked.
- Firewall with Country Blocking: Most malicious attacks originate outside the US (the vast majority in China and Russia). We employ a firewall that rejects most non-US-based connections. In practice that means that if you happen to be in Russia you will not be able to access your club’s site or your Member Splash account.
- Login Tracking and Blocking: A simple, but often effective, technique for hacking an online account is a brute force attack wherein a common username (for example, admin) is tried with tens or even hundreds of thousands of possible passwords. We run software that detects suspicious login patterns and blocks them.
In practice what this means is that we employ some third-party platforms, like MailChimp for sending emails. That requires sharing your members’ email addresses, however those addresses are used only for the purpose of sending your club’s communications. Neither Member Splash nor MailChimp uses or shares them for any other purpose.