Platform and Data Security Information

The below questions have been prepared to provide more information around data security, storage and backups of the World Manager platform. If not already, please visit our Privacy Portal for the latest information. If you have any concerns over data security or suspect a data breach may have occurred, please contact the privacy team below:

1. What access control measures does the World Manager platform provide?

The security of brand data is of paramount importance to us. To make sure that only the right people have access to brand data administrators can set the following security precautions:

Password Policy

Each Administrator defines the minimum amount of characters for passwords and it also checks the strength for users using numbers, letters, and special characters. The only forced requirement is the length of characters (5), of which we highly recommend at least 8.

Tip: Click on the "Make me a password" link to generate a random (secure) password.

Password Settings

Minimum Password Length – The minimum number of letters or digits required. The password character limit must be between 5-50.

Passwords are automatically deactivated this many days after a user's last login – A user's password will be deactivated after a period of inactivity. This setting allows you to specify how many days a user can go without logging in for their password to be deactivated.

Inactivity Timeout

If a user is inactive for a set period they will automatically be logged out of the platform (Unless Stay Signed In is enabled). Inactivity Timeout helps prevent other users on the same computer from being able to access their account. The time-frame is set to 3 hours by default but can be reduced if required by contacting support. This cannot be adjusted from within the platform itself. This setting helps to safeguard against human error or accounts not being closed in a timely manner.

Stay Signed In

‘Stay Signed In’ is a feature that overrides the above Inactivity Timeout settings. This setting is not recommended for shared or public computers.

Enable "Stay Signed In" – Turning this option on will show an extra option on the login page, called "Stay Signed In". If users use this option when logging in, they will be able to visit the platform again through the same computer and browser without having to provide their username and password, until they choose to log out. This is used in conjunction with the next option.

Stay Signed In Timeout – This option is used to specify the number of days that the "Stay Signed In" option will be effective for, from the time the user logs in. If for example, it is set to 30 days, a user may log into the platform using "Stay Signed In", and continue to use the platform without having to resupply his/her login credentials until 30 days later.

Encrypted passwords with unique logins per use

Every user on the platform has a unique username and password. All passwords in the database are encrypted, so not even we can access them.

Forced Password change

The first time an account logs in they are forced to change their password. This helps prevent people having default passwords hijacked. Support can also force all accounts at any time to reset their passwords.

2. Do you have separate installations?

Yes. Many systems run as a central installation with multiple brands in the same platform. With World Manager every brand has their own installation running on their own virtual host. This means that your data is never mixed with anyone else’s.

3. Can we get SSL Certificates?

Absolutely! Our brands require full encryption of their data, so SSL certificates are provided free of charge to all brands using a URL (by default). We also offer free SSL certificates for brands using custom URLs, which we maintain on the brand's behalf.

4. Do you have secure, firewalled servers?

Absolutely. All our servers are housed in a secure data centre run by AWS. All security patches and updates are installed as soon as they are released.

5. Who monitors the World Manager servers?

All our servers are monitored by two separate parties: ourselves and AWS (Amazon Web Services) our data centre providers). This provides maximum uptime and early detection of malicious attacks.

6. Who is your DNS provider?

Our DNS provider is AWS (Amazon Web Services). This was changed from Netregistry in October 2020.

7. How can you be confident your World Manager won’t be hacked?

In addition to protecting against common hacking and other attacks we also maintain detailed logs to thoroughly investigate any suspicious activity.

8. Do you have any attack prevention procedures in place?

We specifically guard against common types of attacks such as SQL Injection and Authorization Bypass.

We also maintain internal server monitors with AWS, for fast detection of any DoS attacks or other server problems.

9. Can you track IP addresses per login?

Absolutely. To allow us to quickly investigate any potentially suspicious activity we maintain detailed logs of IP addresses, Browser information and other user details so that we can quickly identify potential threats.

10. What is offered in terms of backups and data recovery?

World Manager is backed up via AWS in two (2) parts:

  1. Database Backup
  2. File Backup

Database Backup – which stores personal account information, training results, etc is backed up daily and preserved for 30 days. We also store weekly back-ups which are preserved for 13 weeks. Finally, a monthly backup from every month after the daily 30 days from the 15th of each month indefinitely.

File Backup – which covers all the files you have uploaded into World Manager is backed up following the below retention policy:

Periodicity Preserved for Created on
Daily 30 days Once a day
Monthly Indefinitely Once a month

Data Recovery
– is a simple case of reloading the data base and files from the latest backup. In case of catastrophic hardware failure, data recorded between the last backup and the failure may be lost.

11. Whitelisting Emails

Many tools in the World Manager platform send out email notifications, and these emails are sent from our email server.

The system email address these are sent from can be set up as anything you prefer
(e.g., but emails are always sent from the domain via our email server - regardless of what the system email address is.

Due to this functionality, there is potential for some emails to either fail, get blocked, appear as spam and so on. Each platform can also set up a noreply address within the email settings on the World Manager platform.

What IP address do I need to whitelist, and why?

Whitelisting our mail server's IP address (or domain name) will ensure that any/all emails sent from the domain through the World Manager platform are exempt from being rejected and get delivered without issue or delay.

Our mail server's IP address is:

Tip: Alternatively, you can use our mail server's domain name (if preferred), which is:

Note: If you are unsure of how to whitelist an IP address and/or domain name, please consult your IT department.

Emails being delivered as spam?

When emails get delivered as spam (or potential spam), the most common reasons refer to "fraud" or "spoofing". Both errors relate to the same email security function, called Sender Policy Framework - also known as an SPF record.

After receiving this type of error, we typically get a request to provide an SPF record. While this error message specifically mentions "spoofing", the cause of it is quite broad. However, in all cases, whitelisting our IP address resolves this issue.

Example of email received as potential spam (Microsoft Outlook) below:

Further to the above, there are many other reasons emails are delivered as spam, such as; strict incoming mail rules, spam filter configuration, stand-alone mailbox settings etc. If whitelisting our IP address does not resolve this issue for you, please consult your IT department to determine what other (internal) network settings could be blocking emails.

Setting up an SPF Record

Sender Policy Framework, more commonly referred to as SPF, is a record that declares which SMTP/mail servers (other than your own) are allowed to send emails that come from your own domain.
When an email client receives a message, it will typically perform an SPF check to verify that the email actually came from who it says it did. If there isn't a valid SPF record identifying the IP address which sent the email as a sender, some receivers might consider that email as spam/fraudulent or, a phishing attempt, and then either dispose of the message or deliver it as junk/spam (depending on what spam settings you have in place).

For more information, please click HERE.

Setting up a DKIM Record

Domain Keys Identified Mail, more commonly referred to as DKIM, is an email authentication technique that allows the receiver to check that an email was indeed sent and authorised by the owner of that domain - or mail servers that you have authorised to send on your behalf.

Like SPF, DKIM is an open standard for email authentication that is used for DMARC alignment. A DKIM record exists in the DNS, but it is a bit more complicated than SPF. DKIM's advantage is that it can survive forwarding, which makes it superior to SPF and a foundation for securing your email.

For more information, please click HERE.

Was this article helpful?
0 out of 0 found this helpful