Skip to Content

Trust Center

Organizational Security

Information Security Program

We have an Information Security Program in place that is communicated throughout the organization. Our Information Security Program follows the criteria set forth by the SOC 2 Framework. SOC 2 is a widely known information security auditing procedure created by the American Institute of Certified Public Accountants.

Third-Party Audits

Our organization undergoes independent third-party assessments to test our security and compliance controls.

Third-Party Penetration Testing

We perform an independent third-party penetration at least annually to ensure that the security posture of our services is uncompromised.

Roles and Responsibilities

Roles and responsibilities related to our Information Security Program and the protection of our customer’s data are well defined and documented. Our team members are required to review and accept all of the security policies.

Security Awareness Training

Our team members are required to go through employee security awareness training covering industry standard practices and information security topics such as phishing and password management.

Confidentiality

All team members are required to sign and adhere to an industry standard confidentiality agreement prior to their first day of work.

Background Checks

We perform background checks on all new team members in accordance with local laws. 

Organizational Chart

An organizational structure is in place that clearly defines roles, responsibilities and lines of communication.


Disciplinary Action
Violations of information security policies are subject to documented disciplinary actions, as defined in company policies.

Cloud Security

Cloud Infrastructure Security

Our application/website is hosted on Pantheon, a managed WebOps platform for WordPress. Pantheon provides built-in security and operational controls, including isolated development, staging, and production environments, access controls, logging, monitoring, and a global content delivery network (CDN). 

Pantheon maintains a robust security program and supports industry-recognized compliance standards. 

For more information about Pantheon’s security and compliance practices, please visit Pantheon’s website.

Data Hosting Security

Application data is hosted within Pantheon-managed environments, which include automated backups, logging, caching, and redundancy features designed to support availability and data protection. Pantheon supports compliance with SOC 2, GDPR, and FERPA requirements. 

Additional details regarding Pantheon’s security and compliance controls are available in their public documentation. 

Please reference the above vendor specific documentation linked above for more information.

Encryption at Rest

All personal and sensitive information stored within our application and website is encrypted at rest in Pantheon-managed databases. This ensures that data is protected against unauthorized access, even if someone gains access to the storage infrastructure.

Additionally, automated backups of this data are performed by Pantheon and stored securely on separate servers within the platform. Backups are protected through encryption and can be restored via the Pantheon dashboard, either to the existing site or to a new environment. These processes ensure data integrity, availability, and protection against accidental loss or operational issues, while supporting compliance with SOC 2, GDPR, and FERPA standards.

Encryption in Transit

All data transmitted between users and our application/website is encrypted in transit using TLS/SSL, ensuring protection against interception or eavesdropping. Pantheon, as our hosting platform, manages and enforces these encryption standards for all customer traffic. 

For more information about Pantheon’s encryption and security practices, please visit Pantheon Security

Vulnerability Scanning 

A vulnerability and patch management policy outlines our processes to efficiently respond to any identified vulnerabilities. 

We monitor our WordPress application and Pantheon-managed environment for potential security issues. This includes using WordPress Health tools to track plugin, theme, and core updates, as well as site performance and error monitoring. Pantheon provides platform-level monitoring and alerting for infrastructure and operational issues, helping us identify and respond to potential vulnerabilities.

Where applicable, additional security scans and assessments are performed to ensure that known vulnerabilities are addressed promptly and the environment remains secure.

Logging and Monitoring

We actively monitor and log activity related to our application and website to support security and operational visibility. Through our hosting platform Pantheon, infrastructure‑level checks and monitoring run continuously to track performance, uptime, and system health. 

Pantheon also provides access to logs for application containers and services, which can be used for troubleshooting, performance optimization, and security investigations. 

Detailed logging and telemetry help our team identify and respond to issues more quickly and support compliance with audit and forensic requirements

Business Continuity and Disaster Recovery

We leverage Pantheon’s built‑in platform capabilities to support business continuity and reduce the risk of data loss or downtime. Pantheon performs automated backups daily to protect the database, files, and code for our site, which can be restored via the dashboard or platform tooling if needed. 

These backups and platform redundancy mechanisms help ensure that critical systems and data can be recovered in the event of operational issues or infrastructure failures. Pantheon’s infrastructure is designed for resiliency and high availability, with features like automated checks and platform‑level monitoring supporting overall uptime and recovery readiness.

Incident Response

Identified incidents are documented, tracked and analyzed according to the Incident Response Plan.

We have a process for handling information security events which includes escalation procedures, rapid mitigation and communication through to resolution.

The Incident Response Plan is tested annually via tabletop exercises or equivalent. If necessary, management will make changes to the Incident Response Plan based on results.

After any identified security incident has been resolved, a “Lessons Learned” analysis / document is made in order to continually improve the security posture / operations. 

Change Management

Changes to systems, networks, security controls and infrastructure are managed in accordance with our Change Management Policy.

All changes are reviewed and approved prior to implementation to assess the security and operational impact. 

Changes are tested in non-production environments before being deployed to production.

Any significant changes are communicated to relevant stakeholders, as applicable.

Network Security

A network security policy is established to identify the requirements for protecting information and systems within and across the network.

Logging and Monitoring

Infrastructure and System data are collected through logging and monitoring tools to detect security threats, unusual activity and ensure system performance. 

Network traffic monitoring

Monitoring tools are deployed to observe network traffic and protect production environments from unauthorized access or malicious activity.

Controlled Network Access

Access to network ports, protocols, services and environments are restricted as necessary through secure configurations and firewall enforcement.

Access Security

Permissions and Authentication

Access to our WordPress application and Pantheon-managed cloud infrastructure is restricted to authorized users only. Within WordPress, each user is assigned a specific role, limiting access to only the features and data necessary for their responsibilities. 

Any changes to user roles or permissions require approval from an administrator. In some cases, access may also be restricted by IP address to ensure proper and secure use of the platform.

Access to Pantheon’s cloud services is managed using Pantheon role-based access controls, ensuring that only authorized personnel can access sensitive infrastructure. Two-factor authentication (2FA) is enabled for cloud service access, providing an additional layer of security. 

Least Privilege Access Control

We follow the principle of least privilege across both WordPress and Pantheon. Users are granted only the minimum access necessary to perform their specific roles, ensuring that sensitive functionality and data are protected. 

Role assignments are regularly reviewed and adjusted as needed when job responsibilities change. 

Administrative privileges are limited to a small, authorized group of users, reducing the risk of accidental or unauthorized changes to the platform or application.

Quarterly Access Reviews

We perform quarterly access reviews of all team members who have access to sensitive systems, including WordPress administrative accounts and Pantheon infrastructure. 

During these reviews, we verify that access rights are appropriate, adjust roles as needed, and remove access for team members who no longer require it. 

This process helps ensure ongoing compliance with security policies and mitigates the risk of unauthorized access.

Password Requirements

All team members are required to follow a minimum set of password complexity standards to access internal systems and WordPress. 

Passwords must meet criteria for length, complexity, and uniqueness to reduce the risk of compromise. 

Users are encouraged to rotate passwords and to report any suspected security issues immediately. These standards help maintain strong authentication practices across the organization.

Password Managers 

All company issued laptops utilize a password manager for team members to manage passwords and maintain password complexity.

Vendor and Risk Management

Annual Risk Assessments

We undergo at least annual risk assessments to identify any potential threats, including considerations for fraud. 

Risk Register 

A risk register is maintained which identifies, evaluates and tracks the risk mitigation strategies for identified risks.

Vendor Risk Management

Vendor risk is determined and the appropriate vendor reviews are performed prior to authorizing a new vendor.

Vendor SOC 2 reports or equivalent are collected and reviewed on an annual basis.

New vendors are assessed in accordance with the Vendor management policy prior to engagement. Reassessment is done annually. 

Physical Security

A physical security policy is maintained to define the requirements for securing company facilities. 

Communications

Critical information is communicated to external parties in a timely and appropriate manner, as applicable. 

Our security commitments and expectations are communicated to internal personnel and external users through our website and internal documentation.

Terms of Service or equivalent agreements are published and accessible to external users. 

A confidential reporting channel is made available to internal personnel and external parties to report security and other concerns.

Contact Us

If you have any questions, comments or concerns or if you wish to report a potential security issue, please contact it@national.biz

Back to top
Subscribe to our Newsletter
Smart capital. Smarter decisions.

Be first to know when new offers, rate changes, or seasonal funding trends hit.

This field is for validation purposes and should be left unchanged.
By submitting my email here, I agree to the Terms and Conditions and Privacy Policy, which include our ability to contact you and send you promotional, educational and marketing materials.