Security is a shared responsibility. We secure the platform, infrastructure, and your data at rest and in transit. You're responsible for securing your account credentials and managing who has access to your organization's account.
01 Infrastructure Security
Our entire platform runs on Amazon Web Services (AWS) infrastructure, hosted in ISO 27001-certified data centers with multiple layers of physical and logical security.
🌍Multi-Region Redundancy
Data is replicated across multiple AWS regions for high availability and disaster recovery.
🔥DDoS Protection
Cloudflare protects all public endpoints from volumetric and application-layer attacks.
🏗Network Isolation
Services are segmented in private VPCs with strict firewall rules and no unnecessary public exposure.
💾Automated Backups
All data is backed up continuously with point-in-time recovery and tested quarterly.
02 Encryption
All data is encrypted at rest and in transit using modern, audited cryptographic standards.
- Data at rest: AES-256 encryption for all stored data and backups
- Data in transit: TLS 1.3 enforced for all API and web traffic; older versions rejected
- Database encryption: Column-level encryption for particularly sensitive fields (passwords, payment tokens)
- Key management: AWS KMS with automatic key rotation on an annual schedule
- Password storage: bcrypt hashing with per-user salt; plaintext passwords are never stored or logged
03 Access Control
- Principle of least privilege enforced for all internal system access
- Multi-factor authentication (MFA) is mandatory for all employees and production system access
- Role-based access control (RBAC) limits data visibility by job function
- All production access is logged, monitored, and reviewed quarterly
- Privileged access requires time-bound approval through a just-in-time (JIT) access system
- SSH access to production servers is prohibited; all changes deployed via CI/CD pipelines
04 Monitoring & Logging
We operate a 24/7 security operations capability with real-time alerting on anomalous activity.
- All API calls, authentication events, and administrative actions are logged and retained for 12 months
- SIEM (Security Information and Event Management) correlates events across all systems
- Automated anomaly detection flags unusual login patterns, data access, and API usage
- Uptime and performance monitored via independent third-party services
Platform API Operational
Email Delivery Operational
Dashboard & App Operational
Data Infrastructure Operational
05 Penetration Testing & Audits
- Annual penetration testing conducted by independent certified security firms
- SOC 2 Type II audit completed annually — reports available to enterprise customers on request
- Continuous vulnerability scanning via automated tools on all code and dependencies
- OWASP Top 10 validated as part of every major release cycle
- Dependency auditing and supply chain security checks in all CI/CD pipelines
06 Employee Security
- Background checks for all employees with access to production systems
- Mandatory security training during onboarding and annually thereafter
- Security policies accepted in writing by all staff and contractors
- Device management enforced — full disk encryption on all company hardware
- Immediate access revocation upon employee departure
07 Incident Response
We maintain a documented incident response plan tested via tabletop exercises twice a year.
- Dedicated security incident response team on call 24/7
- Severity classification determines escalation path and response timeline
- Affected customers notified within 72 hours of confirmed breach per GDPR requirements
- Post-incident reviews published for significant incidents
08 Securing Your Account
We strongly recommend all customers take these steps to protect their Click Media Digital account:
- Enable two-factor authentication (2FA) — available in account settings
- Use a unique, strong password not used on any other service
- Review team member access and remove users who no longer need access
- Monitor your account's API key usage and rotate keys regularly
- Set up login notifications to alert you of new sign-ins from unrecognized devices
09 Report a Vulnerability
We operate a responsible disclosure program. If you discover a security vulnerability in our platform, we ask that you report it to us privately before public disclosure.
- Email: security@clickmediadigital.com
- PGP key: Available on our security page
- We commit to: Acknowledge within 24 hours, provide updates every 5 business days, and credit researchers in our security hall of fame
- In scope: clickmediadigital.com, api.clickmediadigital.com, app.clickmediadigital.com
Safe Harbour: We will not pursue legal action against researchers who responsibly disclose vulnerabilities and act in good faith under these guidelines.