Skip to content

Commit 0e50dfe

Browse files
Add trust center docs
1 parent c83b5e6 commit 0e50dfe

6 files changed

Lines changed: 273 additions & 2 deletions

File tree

docs/guides/licensing.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -105,7 +105,7 @@ We have no tax presence outside Australia. We do not currently provide internati
105105
The source code for our main product Certify Certificate Manager is available for review at https://github.com/webprofusion/certify
106106

107107
## Terms of Service
108-
Our services, licenses and products are subject to our [Terms and Conditions](terms.md).
108+
Our services, licenses and products are subject to our [Terms and Conditions](../trust-center/terms.md).
109109

110110
## Frequently Asked Licensing Questions
111111

docs/trust-center/index.mdx

Lines changed: 115 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,115 @@
1+
---
2+
id: trust-center
3+
title: Trust Center
4+
---
5+
6+
# Trust Center
7+
## Certification overview
8+
9+
Webprofusion Pty Ltd ("We","Our"), as operator of the certifytheweb.com service (Certify The Web), operates in alignment with the principles and controls of ISO/IEC 27001.
10+
11+
While not currently ISO/IEC 27001 certified, a structured Information Security Management System (ISMS) approach is applied covering operational security, privacy, risk management, business continuity, cryptographic key management and incident response.
12+
13+
As part of this approach, annual internal information security audits are conducted where appropriate to assess the effectiveness of any implemented mitigation measures or controls, identify improvement opportunities, and ensure continued alignment with ISO/IEC 27001 and industry best practices.
14+
15+
## Information security overview
16+
### Information Security Management System
17+
#### Purpose
18+
19+
We ISMS ensure the confidentiality, integrity, and availability of information handled by Certify the Web related services, which may include customer credentials, and operational data.
20+
21+
#### Objectives
22+
23+
The key objectives of the ISMS are:
24+
- Maintain service availability and reliability
25+
- Meet customer and regulatory security expectations
26+
- Protect code signing private keys and software release lifecycle processes
27+
- Prevent system abuse or compromise both of customer facing systems and internal operational systems
28+
- Support continuous improvement through internal audits and reviews.
29+
30+
#### Scope
31+
32+
Included within the scope of the ISMS are:
33+
- Software release management
34+
- Customer facing systems such as dashboard reporting
35+
- Supporting infrastructure (cloud platforms, HSM/KMS, CI/CD)
36+
- Personnel with access to certificate monitoring or security systems
37+
38+
Excluded from Scope
39+
- End user client systems
40+
- Security of software installed on customer systems
41+
- Customer managed private keys (if applicable)
42+
- Third party Certificate Authorities (managed externally) such as Lets Encrypt
43+
44+
#### Information Security Policy
45+
46+
Information security is a core requirement of Webprofusion Pty Ltd’s certifytheweb.com service. All information assets, including customer data, are protected through documented policies, risk based controls, and ongoing review.
47+
48+
Refer to our [Information Security Policy](information-security.md).
49+
50+
#### Operational Security
51+
##### Physical Controls
52+
53+
Where applicable the following controls apply:
54+
- Secure data centre access
55+
- Controlled physical access to HSMs
56+
- Multi Factor Authentication
57+
58+
##### Encryption at rest & in transit
59+
60+
We maintain data encryption controls designed to protect information against unauthorised access or disclosure, including encryption of data at rest and in transit using industry standard practices.
61+
62+
#### Privacy
63+
##### Privacy Policy
64+
65+
Our privacy policy is designed to meet the requirements of the Australian Privacy Principles which govern the way in which Personal Information such as that collected from customers is used, disclosed, stored, secured and disposed.
66+
67+
Refer to our [Privacy Policy](privacy-policy.md).
68+
69+
##### Terms And Conditions
70+
71+
Use of our services indicates acceptance of our [terms and conditions](./terms.md).
72+
73+
#### Risk management
74+
75+
A risk-based approach to managing information security risks is implemented through Webprofusion Pty Ltd’s ISMS. Information security risks are identified, assessed and where required mitigation measures are implemented.
76+
77+
Through the analysis of possible threats and hazards, potential risks can be formally identified through the lifecycle of the certifytheweb.com service. These may relate to:
78+
- Access controls
79+
- Software supply chain
80+
- Service downtime
81+
82+
As described in the [Information Security Policy](information-security.md), any risks identified are fully assessed to ensure that appropriate mitigation measures or controls are implemented.
83+
A risk review is undertaken periodically and may be updated when significant changes occur.
84+
85+
#### Business Continuity
86+
87+
To support business continuity appropriate backup, recovery and monitoring measures are implemented. These align with current industry best practice.
88+
89+
#### Cryptographic key management
90+
Within our services, industry-accepted cryptographic standards are used. Private keys and credentials are protected, certificate lifecycle processes are controlled, and security considerations are embedded in automation and product design.
91+
92+
#### Use of Cryptography
93+
Where applicable, we use code signing for build artifact signing using certificates issued by publicly trusted certifiate authorities. These certificates are renewed in accordance with the lifecycle policy of the issuing CA.
94+
95+
#### Incident response overview
96+
We ensure security events are identified, managed, and resolved in a timely and controlled manner.
97+
98+
Incident response measures are event specific but may include the following:
99+
- Proactive measures via services such as Cloudflare (Web application firewall, DDoS protection, selective filtering of incoming requests).
100+
- Investigation and root cause analysis to understand what has occurred
101+
- Customer communications such as general notifications and status updates, notification of affected customers
102+
- Post incident review to identify lessons learned and implement improvements where necessary.
103+
104+
#### Annual internal audit confirmation
105+
##### Audit schedule
106+
107+
We conduct annual internal information security audits to review our security practices. These audits help confirm that appropriate and effective controls are in place, identify opportunities for improvement, and ensure our approach to information security remains effective and aligned with recognised best practices.
108+
109+
Additional audits may also be performed following significant changes, security events, or incidents, to ensure issues are addressed appropriately and improvements are implemented where needed.
110+
111+
##### Audit findings and follow up
112+
113+
Findings from internal security audits are formally recorded and tracked through to closure. Each finding is assessed to determine its impact and priority, ownership is assigned, and remediation actions are defined and monitored. Where required, corrective or preventive controls are implemented, and their effectiveness is reviewed to ensure the underlying issue has been appropriately addressed. This process supports accountability and ensures continuous improvement of our security practices.
114+
115+
For further information on our service please contact us via `support at certifytheweb.com`
Lines changed: 42 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,42 @@
1+
---
2+
id: information-security
3+
title: Information Security Policy
4+
---
5+
6+
# Information Security Policy
7+
## Purpose
8+
Webprofusion Pty Ltd, as operator of the certifytheweb.com service, is committed to protecting the confidentiality, integrity, and availability of information provided by customers and partners. This Information Security Policy outlines our approach to managing information security risks associated with the development, operation, and support of the certifytheweb.com service.
9+
10+
This policy is designed to provide transparency into our security objectives and management practices and forms part of our broader Information Security Management System (ISMS), aligned with ISO/IEC 27001 principles.
11+
12+
## Scope
13+
This policy applies to the Certify The Web applications and supporting services where hsoted by us; systems, infrastructure, and environments used to operate and support the product; information assets including signing certificates, configuration data, telemetry, support data, and customer-provided information where applicable. This policy does not cover customer hosted applications.
14+
15+
## Information Security Objectives
16+
The objectives of this policy are to protect sensitive information from unauthorised access, safeguard cryptographic materials, ensure service availability, maintain customer trust, and continually improve security practices.
17+
18+
## Risk Management Approach
19+
Webprofusion Pty Ltd, as operator of the certifytheweb.com service, follows a risk-based approach to managing information security risks. Information security risks are identified, assessed and where required mitigation measures are implemented. A risk review is undertaken periodically and may be updated when significant changes occur.
20+
21+
## Access Control
22+
Access is granted based on business need and least privilege, protected by appropriate authentication including multi-factor authentication where applicable, and reviewed periodically.
23+
24+
## Cryptographic and Certificate Security
25+
Industry-accepted cryptographic standards are used. Private keys and credentials are protected, certificate lifecycle processes are controlled, and security considerations are embedded in automation and product design.
26+
27+
## Secure Development and Operations
28+
Security is integrated into development and operations through secure coding, change management, logging, monitoring, and timely patching.
29+
30+
## Incident Management
31+
Incidents are detected, recorded, contained, investigated, and reviewed. Customers are notified where required by contractual or regulatory obligations.
32+
33+
## Business Continuity
34+
Appropriate backup, recovery, monitoring, and resilience measures are implemented to support continuity.
35+
36+
## Review and Continuous Improvement
37+
This policy and associated controls are reviewed periodically, supported by annual internal audits, and updated to reflect changes.
38+
39+
## Policy Availability
40+
This policy is available via the Certify The Web Trust Center. Additional information may be provided upon request subject to confidentiality controls.
41+
42+
Lines changed: 94 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,94 @@
1+
---
2+
id: privacy-policy
3+
title: Privacy Policy
4+
---
5+
6+
*Last Updated: 30/06/2026*
7+
8+
Webprofusion Pty Ltd, operators of the certifytheweb.com service are committed to providing quality services to you and this policy outlines our ongoing obligations to you in respect of how we manage your Personal Information. We have adopted the Australian Privacy Principles (APPs) contained in the Privacy Act 1988 (Cth) (the Privacy Act). The National Privacy Principles govern the way in which we collect, use, disclose, store, secure and dispose of your Personal Information. A copy of the Australian Privacy Principles may be obtained from the website of The Office of the Australian Information Commissioner at www.aoic.gov.au
9+
10+
This privacy policy relates to:
11+
- the `https://certifytheweb.com` and `https://dash.certifytheweb.com` service
12+
- the `https://api.certifytheweb.com` API
13+
- the *Certify Certificate Manager*, *Certify Management Agent* and *Certify Management Hub* applications.
14+
- the *Certify Dashboard service*
15+
- the *Certify DNS* service
16+
17+
Note: The applications make use of the services provided by Certificate Authorities (e.g. Let's Encrypt - https://letsencrypt.org) and their privacy policy applies if you use this software to request certificates through their service. You may also choose to use other Certificate Authority services and each service will require you to agree to their own terms and conditions.
18+
19+
## What is Personal Information and why do we collect it?
20+
Personal Information is information or an opinion that identifies an individual. Examples of Personal Information we may collect include: names, addresses, email addresses, and phone numbers.
21+
22+
This Personal Information is obtained in many ways including correspondence, by telephone, by email, via our website certifytheweb.com, from other publicly available sources and from third parties. We do not guarantee website links or privacy policies of authorised third parties.
23+
24+
We collect your Personal Information for the primary purpose of providing our services to you and marketing. We may also use your Personal Information for secondary purposes closely related to the primary purpose, in circumstances where you would reasonably expect such use or disclosure. You may unsubscribe from our mailing/marketing lists at any time by contacting us in writing.
25+
26+
When we collect Personal Information we will, where appropriate and where possible, explain to you why we are collecting the information and how we plan to use it.
27+
During the normal use of the Certify The Web.com services (Certify Certificate Manager and related products), Webprofusion Pty Ltd (via the service/app) may also collect the following information:
28+
29+
- Managed Certificate status reports (dashboard reporting). The default setting of the app is to send these reports to our API as part of the normal certificate request process, this setting can be disabled within the app. They contain information about your Server Name, Operating System, App Version, .Net Version, a unique instance ID and the Managed Certificate details for the certificate being renewed. This information includes the Primary Contact Email used when registering your account with the Certificate Authority. We primarily use these reports to notify you of failed renewals, to provide you with technical support and to present summary information to you in the certifytheweb.com Dashboard dashboard feature. Status Reports are periodically deleted from our reporting database, aggregated information may be retained for reporting purposes.
30+
31+
- If the Config Check Proxy API is enabled in the app, the availability and configuration of your site is tested by sending a request to our server to see if it can access your site. This helps avoid unnecessary rate limiting for failed domain validations.
32+
33+
- Background service crash reports are sent to us automatically. These may share your Primary Contact Email address with us so we are able to alert that there may be a problem.
34+
35+
- You may also optionally share UI crash reports and feedback with us when prompted. This may include your email address if you provide it.
36+
37+
- The IP address of the server you use the app on may be indirectly sent to us as part of status reports, proxy API calls.
38+
39+
- We keep standard web server logs, these report accesses to our API and website.
40+
41+
In addition, if enabled via the in-app setting, telematics (app event reporting) may report app startup and UI events to us via the Microsoft Application Insights system. These reports include your IP address, Operating System version, .Net Framework version.
42+
43+
When making calls to our API from the app or browsing our website the traffic may be sent through Cloudflare services, this in turn means your public IP address is shared with them as well as any http requests to our API etc proxied through their service.
44+
45+
If you register a profile on https://certifytheweb.com using our reporting dashboard feature, to purchase a license key or begin a cloud licensed subscription, we collect the following information (some of which is optional):
46+
- First Name
47+
- Last Name
48+
- Organisation (optional)
49+
- Country
50+
- Phone Number (optional)
51+
- Email Address
52+
- Password for your certifytheweb.com account. We cannot decrypt this and store this as a "salted"+hashed value (HMACSHA256, PBKDF2)
53+
54+
If you create a cloud managed license subscription (e.g. via Microsoft Azure etc) we will store the basic information about the cloud subscription (provider, subscription identifier) and associate it with your license key information.
55+
56+
## Storage and Security of Personal Information
57+
The data collected during creation of your certifytheweb.com account is held in a private database, access to this database is strictly limited within our organisation. No data from this database is communicated with any third parties. Data is physically stored on services operated by Amazon Web Services in Australia.
58+
59+
Your Personal Information is stored in a manner that reasonably protects it from misuse and loss and from unauthorized access, modification or disclosure. When your Personal Information is no longer needed for the purpose for which it was obtained, we will take reasonable steps to destroy or permanently de-identify your Personal Information. Most of the Personal Information is or will be stored and kept by us for a minimum of 7 years in order to meet our financial reporting requirements as a company.
60+
61+
## Third Parties
62+
63+
Where reasonable and practicable to do so, we will collect your Personal Information only from you. However, in some circumstances we may be provided with information by third parties. In such a case we will take reasonable steps to ensure that you are made aware of the information provided to us by the third party.
64+
65+
## Disclosure of Personal Information
66+
Your Personal Information may be disclosed in a number of circumstances including the following:
67+
- Third parties where you consent to the use or disclosure; and
68+
- Where required or authorised by law.
69+
70+
We do not share your information with third parties other than through the normal use of the app services stated above (Let's Encrypt and other ACME CAs you use, Microsoft [Application Insights], Cloudflare).
71+
72+
We reserve the right to include your Company Name on our website to promote which customers use our service.
73+
74+
## Access to your Personal Information
75+
You may access the Personal Information we hold about you and to update and/or correct it, subject to certain exceptions. Edits can be made through the certifytheweb.com portal or requested in writing. We will not charge any fee for your access request, but may charge an administrative fee for providing a copy of your Personal Information. In order to protect your Personal Information we may require identification from you before releasing the requested information.
76+
77+
## Maintaining the Quality of your Personal Information
78+
It is important to us that your Personal Information is up to date. We will take reasonable steps to make sure that your Personal Information is accurate, complete and up-to-date. If you find that the information we have is not up to date or is inaccurate, please advise us as soon as practicable so we can update our records and ensure we can continue to provide quality services to you.
79+
80+
## Policy Updates
81+
This Policy may change from time to time and is available in the Trust Center published on our website.
82+
83+
## Privacy Policy Complaints and Enquiries
84+
85+
If you have any queries or complaints about our Privacy Policy, or the information we collect and why, please contact us.
86+
87+
88+
89+
90+
91+
92+
93+
94+

0 commit comments

Comments
 (0)