Documentation

All the information you need in one place

How does Nelio handle Security?

We take data security and privacy very seriously, and we recognize that our security measures and practices are important to you. We believe we have a responsibility to set the example and protect not just the privacy of our customers, but also that of the people who visit their websites—in other words: you.

We adapt and change with an ever-evolving discipline and continue to provide reassurance that we’re protecting the confidentiality, integrity, and availability of your data.

When you install the Nelio A/B Testin plugin and/or subscribe to some of our premium plans, you are accepting the T&C which also includes the Data Processing Agreement (DPA). The DPA explains the details of how we process data and the security measures we take when processing your and your visitors’ data while using Nelio A/B Testing.

Specifically, the DPA includes the technical and operational security measures we take for processing the data including measures for:

  • Ensuring that personal data is encrypted both in transit and at rest to protect it from unauthorized access.
  • Implement robust access controls to limit access to personal data to authorized personnel only.
  • Processing only the personal data that is necessary for the intended purpose, avoiding collecting or retaining excessive or irrelevant data.
  • Maintain the integrity and resilience of systems and services processing personal data through appropriate measures such as data backup, disaster recovery planning, and regular testing.
  • Implement monitoring and logging mechanisms to detect and respond to security incidents promptly. This includes logging access attempts, changes to configurations, and suspicious activities.
  • Develop and maintain an incident response plan to handle security breaches or incidents effectively.
  • Regularly update and patch systems and software to address known vulnerabilities and protect against exploitation.
  • Follow secure coding practices and conduct regular security assessments and code reviews to identify and mitigate potential vulnerabilities.
  • Ensure that any third-party vendors or subprocessors involved in processing personal data adhere to GDPR requirements and maintain adequate security measures.
  • Provide regular training and awareness programs for employees to educate them about their responsibilities regarding data protection and security.
  • Physical security measures to protect facilities, equipment, and storage media that contain personal data from unauthorized access, theft, or damage are implemented by our Service infrastructure provider.

You can see the details of these measures in the Annex II of the DPA.

Below, we summarize some of the critical points related to security measures you should be aware of Nelio A/B Testing:

How Nelio protects data

Nelio A/B Testing Plugin Development Security

Nelio A/B Testing plugin development follows a Secure by Design (SbD) principle which implies a control and security approach to the whole process of creating our plugin, from the design to the implementation.

Nelio A/B Testing code is stored in a Bitbucket / Atlassian system hosted by AWS. Nelio employs strict role-based security/passwords for access to the code.  Commits to production code are strictly reviewed and go into production after passing Unit Testing and QA in Test and Staging.

Nelio A/B Testing is compatible with the GNU General Public License v2 and are reviewed by the Plugin Review Team and the WordPress Security Team as part of the submission process to be published on the the WordPress Plugin Directory following the guidelines available here.

The goal of the WordPress Plugin Directory is to provide a safe place for all WordPress users – from the non-technical to the developer – to download plugins that are consistent with the goals of the WordPress project. They require that no users are tracked without their consent, standard libraries included in WordPress are used to ensure the security and stability of the products, among other measures.

In addition, as a requirement to become WordPress VIP Technology Partners, Nelio A/B Testing has been carefully examined by Automattic for performance, security, scalability and usability.

We use cookies

Nelio A/B Testing uses cookies to run tests and analyze the customer’s website visitor data  (as long as cookies are enabled). The cookies keep track of the variation a visitor has viewed and serve the same variation to the visitor consistently, track goals completed by a visitor, and determine whether a visitor is part of a test.

You can find more details how we ensure Nelio A/B Testing compliance with the GDPR here.

Nelio A/B Testing Backend Security

Nelio A/B Testing backend is hosted on Amazon Web Services (AWS), which is SOC 1/SSAE 16/ISAE 3402. SOC2, SOC 3, FedRAMP, DoD SRG, and PCI DSS Level 1 certified.

Physical security 

Physical access to the AWS data centers is restricted by Amazon. No physical access is allowed to any of the employees of Nelio.

Architecture security

We describe briefly the different components of the architecture we have defined in our backed to ensure the security of the system:

  • Amazon API Gateway: This is the entry point of our cloud system for Nelio A/B Testing. The communication between the Nelio A/B Testing WordPress plugin and the Nelio A/B Testing cloud system is done through a REST API.
  • Amazon Lambda. This is a serveless computing service that runs all the lambda functions we programmed in response to the API calls defined in the API Gateway.
  • Amazon DynamoDB. This is a NoSQL Database solution that stores all data of Nelio A/B Testing.
  • Amazon S3: This is a static file storage system we use to backup or Amazon DynameDB data and to store a few extra assets.
  • Amazon SNS: This is a notification system we use when we have to process objects in great quantity.
  • Amazon SES: This component allows us to send emails programmatically to the the emails account.

We designed our infrastructure to log extensive information about the system behaviour, traffic received, system authentication, and other application requests. Our development team are responsive to known incidents.

Amazon uses commercially reasonable efforts to ensure a minimum of 99.95% uptime. They mantain a minimum of N+1 redundancy to power, network, and heating, ventilation and air conditioning (HVAC) services.

Access data security 

The data stored on production servers in AWS are accessible only to the VP-Engineering or the CEO. No one else in Nelio has access to customer data unless permission to access is granted by the CEO or the VP-Engineering to resolve any technical issue or for debugging.

We use multi-factor authentication (MFA) to validate user identities and provide quick and convenient access to authorized users.

There is an hourly backup of the database data in AWS data centers.

Application access security

  • The Nelio A/B Testing plugin installed in your WordPress site is always connected to the Nelio backend via HTTPS using Secure Sockets Layer (SSL), a cryptographic protocol that is designed to protect against eavesdropping, tampering, and message forgery.
  • You can assign roles and permissions to each user that has access to your site to ensure an appropriate level of access to the Nelio A/B Testing plugin.

If you have additonal concern about the security of Nelio A/B Testing, feel free to contact us.