Articles in this section

Guide for IT & Security Administrators

Avatar
Andy
  • Updated

Last updated
20260302
Article type
Best practice / Theory / Information
Applies to
Starter, Business, Pro-Marketer
Special contents
n/a

Welcome to our Email & SMS Marketing platform. This guide contains a series of 'recommended reading' articles for IT & System Administrators to help you understand our platform from a network & IT security point of view, as well as assisting you to configure our platform using security best practices.

 

General Introduction & Overview

 

Account Security & Users

 

Domains, Firewalls, & IPs

 

Support & Training

 

Other Guides & Resources

 

Frequently Asked Security Questions

Information Security Management

Q: Where is contact data stored?
A: All contact data is stored locally in Australia. Our product, live environment, and all (Australasian) client data (contacts) is stored at a Tier 4, ISO 27001 compliant data centre in Brisbane. No client data is stored on or within our own office premises.

 

Q: Does Constant Contact (Vision6) maintain any Information Security Training and Awareness programmes, Security Education, or other programmes of a similar nature?
A: Yes, all new employees undergo Security Training and Awareness as part of their onboarding process. Thereafter, refresher courses are presented on an annual basis.

 

Q: Have you undergone third-party penetration testing?

A: Yes. We plan annual pentests. You may request a copy of our Penetration Test Assurance Report by contacting our Support team. 

 

Q: Does Constant Contact (Vision6) manage any Personal Identifiable Information (PII) data on behalf of clients?
A: No, we do not manage PII data on behalf of our clients. Our clients use our software to manage their data themselves.

 

Data Protection

Q: Do you encrypt tenant data at rest and in transit?
A: Yes, data in transit is encrypted with TLS 1.2 and above, and HTTP Strict Transport Security (HSTS) protocols are enforced. For data at rest, dmcrypt is configured using LUKS.

 

Q: What compliances does Constant Contact (Vision6) hold?
A: ISO 27001:2022, QAssure, GDPR & the Australian SPAM Act 2023. Emails created & sent (with the drag & drop editor) in our platform support WCAG 2.2 LEVEL AA. You can read more about this at the World Wide Web Consortium (W3C).

 

Q: What controls does Constant Contact (Vision6)employ to protect data?
A: The Vision6 product is multi-tenanted with rigid logical segmentation of data by account. Access control within the product is role-based. Please refer to Vision 6 Data Security practices in this link https://www.vision6.com.au/compliance-hub/data-security/

 

Q: Does Constant Contact (Vision6) conform to best practice in records storage and handling?
A: Constant Contact (Vision6) is an email marketing platform, not a data storage provider. When we collect, store and use your personal information, we do so in accordance with the rules set down in the Australian Privacy Act 1988 (Privacy Act), the European Union General Data Protection Regulation (EU) 2016/679 (the GDPR), and the California Consumer Privacy Act (CCPA).

 

Q: Identify any managed services / IaaS / SaaS / PaaS where data is stored or through which it is transmitted.
A: PII is stored in sovereign data storage: in Australia, we use Tier 4, ISO 27001 compliant Data Centre in Brisbane, NextDC. We use both AWS Sydney and Azure Melbourne for some backup and Disaster Recovery functions. Both are ISO 27001 and SOC 3 compliant.

 

Q: Will Constant Contact (Vision6) delete information and records upon request and provide assistance or evidence that they have done so?

A: All customer data is under the sole ownership of the relevant customer. Any destruction of customer data is to be managed by the customer in the Vision6 product. We do not provide certificates for assurance of destruction as we're an email marketing platform, not a data storage provider.

 

Q: Are any copies of records or information retained by Constant Contact (Vision6) after the termination of a contract?
A: No. Inline with our Data Retention Policy, all deactivated account data is permanently deleted 12 months after deactivation.

 

Network and System Management

Q: What system hardening standards are in place at Constant Contact (Vision6)?
A: Critical infrastructure components are reviewed annually to confirm compliance with the defined security hardening and configuration requirements. All systems and infrastructure are designed to limit exposed services, unnecessary software, ensure that security measures are correctly in place and are subject to security reviews as a part of our deployment processes.

 

Q: Has Constant Contact (Vision6) implemented any antivirus/malware solutions?
A: Yes. This is detailed in our Threat & Vulnerability Management policy, including requirements for restrictive firewalls and antivirus.

 

Q: What are Constant Contact (Vision6)’s patch management policies, procedures, and solutions?
A: We have comprehensive patch management processes in place in relation to our product, which include both manual and automated scans, which are reviewed and reported on monthly.

 

Q: What are Vision6’s remote access policies, including any requirements for multi-factor authentication (MFA)?
A: All logins to the platform require MFA. We also recommend that customers apply their own policy when using the product.  All other software and systems used by Constant Contact (Vision6) use MFA, where possible.

 

Q: Does Constant Contact (Vision6) subcontract part of its service offering to third parties and, if so, what contractual agreements are in place?
A: No, all core functions and client services are conducted by Constant Contact (Vision6) and are not outsourced to any third-party contractors.

 

Incident Response

Q: Does Constant Contact (Vision6)’s have a formal Incident Response plan in place, which includes details of the reporting, notification requirements, escalation and remediation associated with an Information Security Incident?
A: Yes, general incident management processes and security incidents and data breaches are handled according to our Security Incidents & Data Breach Policies. 

 

Q: Has Constant Contact (Vision6) experienced any significant Information Security incidents in the past?
A: No. Constant Contact (Vision6) has not been subject to an Information Security Incident.

 

Q: Does Constant Contact (Vision6) have Disaster Recovery and Business Continuity plans? Are the recovery plans performed regularly?
A: Yes, we have a DR plan that forms part of the larger BC plan. This plan and supporting recovery processes are tested annually. 

 

Q: Is a full restoration of information possible within a reasonable timeframe in the event of an incident?

A: Yes.

 

Q: Does Constant Contact (Vision6) guarantee acceptable parameters for service provision in respect to possible disruptions, and what actions does Vision6 take in the event of service disruption?
A: Yes. Please refer to our Terms & Conditions for details on managing service disruption. 

 

Q: What measures are in place to allow Constant Contact (Vision6) to do a complete restoration of customer records if needed?

A: To ensure data integrity and resilience, we maintain redundant copies of all customer information. Our disaster recovery systems are engineered for rapid restoration in the event of an outage, supported by rigorous, scheduled testing. Furthermore, your data is backed up at least every 24 hours using industry-standard encryption and stored in both local and secure off-site facilities.

 

Q: Does Constant Contact (Vision6) have a public Status Page that can be monitored for uptime and incident reporting?

A: Yes. Please refer to our Status Page

 

Cyber Insurance Policy Protection

Q: Does Vision6 maintain Cybersecurity liability insurance?
A: Yes. Our insurance provides first and third-party cyber cover.
 

 

 

Article is closed for comments.