WP Fusion Information Security Policy

1.0 Purpose and Benefits

This Information Security Policy (ISP) defines the mandatory minimum information security requirements for Very Good Plugins, LLC (“Company”), the developer and maintainer of WP Fusion, a WordPress plugin that connects WordPress websites to CRM and marketing automation systems.

This policy establishes implemented measures to ensure the integrity, availability, and security of Personal Data through comprehensive administrative, technical, and physical safeguards that meet industry best practices and comply with all applicable Data Protection Laws.

This policy acts as an umbrella document to all other security policies and associated standards. This policy defines the responsibility to:

• Protect and maintain the confidentiality, integrity and availability of customer data, source code, and infrastructure assets
• Implement regular vulnerability scans and endpoint protection across all systems
• Maintain appropriate safeguards to protect against and remediate Security Incidents
• Ensure Personal Data availability and resilience through secured and monitored operational sites
• Manage the risk of security exposure or compromise in our plugin ecosystem
• Maintain comprehensive audit logs, incident response procedures, and business continuity plans
• Assure a secure and stable development and hosting environment
• Identify and respond to events involving information asset misuse, loss or unauthorized disclosure
• Monitor systems for anomalies that might indicate compromise
• Promote and increase awareness of information security among our development team and customers
• Ensure compliance with data protection regulations including GDPR, CCPA, and other applicable privacy laws
• Maintain the integrity of API connections between WordPress sites and third-party CRM systems

2.0 Authority

Very Good Plugins, LLC is the sole authority for the development, maintenance, and security of the WP Fusion plugin. This policy is established by company leadership and applies to all employees, contractors, and third-party service providers.

3.0 Scope

This policy encompasses:

• The WP Fusion WordPress plugin (both Lite and Pro versions)
• The wpfusion.com website and associated infrastructure
• Customer data processed through our systems
• API integrations with 60+ CRM and marketing automation platforms
• Support and documentation systems
• Development and testing environments
• Source code repositories (GitHub and private repositories)
• Customer license and billing systems

4.0 Information Statement

4.1 Organizational Security

4.1.1 Security Roles and Responsibilities

Very Good Plugins maintains the following security functions:

Chief Technology Officer (CTO) – Responsible for:

• Overall security strategy and risk management
• Approval of security policies and procedures
• Resource allocation for security initiatives
• Incident response oversight

Lead Developer/Security Officer – Responsible for:

• Technical security implementation
• Code security reviews
• Vulnerability management
• Security testing and validation
• Monitoring security advisories for WordPress and integrated systems

Support Team – Responsible for:

• Secure handling of customer data during support interactions
• Reporting potential security issues
• Following data protection procedures

4.2 Plugin Security Architecture

4.2.1 Secure Development Practices

• • All code undergoes peer review before release
  • Security testing is performed for each release

• WordPress coding standards and security best practices are followed
• Input validation and sanitization is implemented for all user inputs
• SQL queries use prepared statements to prevent injection attacks
• Cross-site scripting (XSS) protection through proper escaping
• Cross-site request forgery (CSRF) protection using WordPress nonces

4.2.2 API Security

• API communications use SSL/TLS encryption
• OAuth 2.0 is supported where available
• API rate limiting is implemented to prevent abuse
• Error messages do not expose sensitive information

4.3 Data Classification and Handling

4.3.1 Data Categories

Highly Sensitive Data:

• Customer API keys and credentials (stored only in customer’s WordPress database, never on our servers)
• Customer personal information (PII)
• Payment information
• License keys

Sensitive Data:

• OAuth authorization logs (connection URL, customer ID, authorization dates)
• Customer contact information
• CRM field mappings
• Support ticket content
• Usage analytics

Public Data:

• Documentation
• Marketing content
• Plugin changelog

4.3.2 Data Handling Requirements

• Customer API credentials are never stored on our servers – they remain exclusively in the customer’s WordPress database
• OAuth authorizations are tracked for security auditing (URL, customer ID, dates) but credentials are never stored
• Support requests requiring credential sharing use secure, temporary methods
• Customer data in support tickets is retained only as long as necessary
• No customer CRM data is stored on our servers; all processing happens on the customer’s WordPress site

4.4 Access Control

4.4.1 Administrative Access

• Multi-factor authentication (MFA) is required for all administrative accounts
• Access to production systems is limited to authorized personnel
• Regular access reviews are conducted quarterly
• Principle of least privilege is enforced

4.4.2 Customer Access

• Customer accounts are protected by strong password requirements
• License verification is performed for plugin updates
• Account recovery procedures include identity verification

4.5 Vulnerability Management

4.5.1 Security Monitoring and Disclosure

Patchstack Partnership:

• We voluntarily participate in the Patchstack Vulnerability Disclosure Program
• Patchstack provides continuous vulnerability monitoring for WP Fusion
• Security researchers can report vulnerabilities through Patchstack’s responsible disclosure platform
• All reported vulnerabilities are triaged and validated by Patchstack’s security team
• Public disclosure follows coordinated disclosure timelines to ensure patches are available before details are released
• Our Patchstack profile is publicly available at: https://patchstack.com/database/wordpress/plugin/wp-fusion-lite

Additional Security Monitoring:

• Regular automated security scans are performed on wpfusion.com
• WordPress core and ecosystem security advisories are monitored daily
• Third-party library vulnerabilities are tracked through dependency scanning
• Proactive code reviews for security implications

4.5.2 Incident Response

• Vulnerabilities reported through Patchstack are acknowledged within 24 hours
• Security vulnerabilities are addressed within 24-48 hours of validation
• Critical vulnerabilities trigger immediate patch releases
• Patches are coordinated with Patchstack before public disclosure
• Customers are notified of security updates through multiple channels
• A detailed security changelog is maintained
• CVE numbers are obtained for significant vulnerabilities when applicable

4.6 Third-Party Security

4.6.1 Integration Security

• We maintain documentation on secure configuration for each CRM integration
• API changes from third-party services are monitored
• Integration-specific security considerations are documented

4.6.2 Infrastructure Providers

• Hosting providers must maintain SOC 2 or equivalent certification
• Payment processors must be PCI DSS compliant
• Regular review of third-party security practices

4.11 Compliance with Data Protection Laws

4.11.1 Regulatory Compliance

• Full compliance with General Data Protection Regulation (GDPR)
• California Consumer Privacy Act (CCPA) compliance
• Adherence to other applicable data protection laws based on customer location
• Regular review of regulatory requirements (quarterly)
• Legal counsel consultation for compliance matters

4.11.2 Data Protection Measures

Administrative Safeguards:

• Designated Data Protection Officer role
• Regular privacy impact assessments
• Data processing agreements with all third parties
• Employee confidentiality agreements
• Privacy training for all staff

Technical Safeguards:

• Encryption of personal data in transit and at rest
• Pseudonymization where appropriate
• Access controls based on least privilege principle
• Regular security assessments and penetration testing
• Data loss prevention measures

Physical Safeguards:

• Secured data center facilities (Vultr)
• Controlled access to systems containing personal data
• Environmental controls to prevent data loss
• Secure destruction of data-bearing media

4.8 Business Continuity and Data Resilience

4.8.1 Infrastructure and Hosting

Primary Hosting Infrastructure:

• Hosted with Vultr at their New Jersey data center
• Vultr maintains SOC 2 Type II, ISO 27001, and PCI DSS compliance
• Infrastructure benefits from Vultr’s enterprise-grade security measures
• 24/7 monitoring and DDoS protection
• Redundant network connectivity and power systems

Security Measures:

• Regular vulnerability scanning of all systems (automated weekly, manual quarterly)
• Endpoint protection on all servers and development machines
• Web Application Firewall (WAF) protection
• Intrusion Detection/Prevention Systems (IDS/IPS)
• SSL/TLS encryption for all data in transit
• Encryption at rest for sensitive data storage

4.8.2 Backup and Recovery

• Daily automated backups of all critical systems
• Backups stored in geographically separate locations
• 30-day backup retention for standard backups
• 90-day retention for monthly archives
• Source code maintained in version control with redundancy
• Documentation backup and recovery procedures
• Recovery Time Objective (RTO): 4 hours for critical systems
• Recovery Point Objective (RPO): 24 hours maximum data loss
• Quarterly restoration testing to verify backup integrity

4.8.3 Availability and Resilience

• 99.9% uptime target for wpfusion.com
• Redundant update servers for plugin distribution
• CDN usage for static assets and plugin downloads
• Load balancing for high-availability
• Automated failover procedures
• Real-time monitoring with automated alerting
• Capacity planning reviewed quarterly

4.8.4 Audit Logging and Monitoring

Event Logging:

• All administrative access logged and retained for 90 days
• OAuth authorization tracking (URL, customer ID, creation date, last authorization date)
• API access logs maintained for security analysis
• Error logs monitored for security incidents
• User activity logs for support portal
• Plugin update requests logged for security auditing

Log Protection:

• Logs stored in tamper-resistant format
• Access to logs restricted to authorized personnel
• Regular log analysis for anomaly detection
• Automated alerts for suspicious activities

4.8.5 Incident Response and Business Continuity

Incident Response Plan:

• 24-hour response time for critical incidents
• Defined escalation procedures
• Communication protocols for customer notification
• Post-incident review process
• Regular incident response drills (bi-annually)

Business Continuity Plan:

• Documented procedures for service restoration
• Alternative communication channels established
• Vendor contact lists maintained
• Regular BCP testing (annually)
• Cross-trained personnel for critical functions

4.8.6 Vendor Management

• Due diligence performed on all critical vendors
• Security requirements included in vendor contracts
• Annual review of vendor security practices
• Vultr’s compliance certifications verified annually
• Payment processor PCI compliance verified
• Third-party service SOC 2 reports reviewed when available

4.9 Security Awareness and Training

• Regular security training for all team members
• Secure coding training for developers
• Phishing awareness training
• Documentation of security procedures

4.10 Physical Security

• Development work performed on secured, encrypted devices with endpoint protection
• All development endpoints require automatic screen lock after 10 minutes of inactivity
• Vultr data center physical security includes:
  • 24/7 on-site security personnel
  • Biometric access controls
  • CCTV surveillance
  • Environmental monitoring and controls
• Secure disposal of hardware containing sensitive data using NIST-approved methods
• Clean desk policy for handling of sensitive information
• Locked storage for any physical media containing sensitive data

5.0 Compliance

This policy is effective immediately upon publication. All team members, contractors, and third-party service providers must comply with this policy. Non-compliance may result in disciplinary action up to and including termination of employment or contracts.

5.1 Exceptions

Requests for exceptions to this policy must be submitted in writing to the CTO with business justification and proposed compensating controls.

5.2 Policy Review

This policy will be reviewed annually or when significant changes occur to:

• Business operations
• Technology infrastructure
• Regulatory requirements
• Threat landscape

6.0 Definitions

Term	Definition
API	Application Programming Interface – the connection method between WP Fusion and CRM systems
CRM	Customer Relationship Management system
MFA	Multi-Factor Authentication
PII	Personally Identifiable Information
SSL/TLS	Secure Sockets Layer/Transport Layer Security encryption protocols
WordPress Nonce	Number used once – WordPress’s CSRF protection mechanism
OAuth	Open Authorization – secure authorization protocol
Patchstack	Third-party vulnerability disclosure, monitoring, and coordination service that we voluntarily partner with for responsible security disclosure

7.0 Contact Information

Security concerns or questions about this policy should be directed to:

Very Good Plugins, LLC
Email: support [at] wpfusion.com
Support: https://wpfusion.com/contact/

Security Vulnerability Reporting: We encourage responsible disclosure of security vulnerabilities through our partnership with Patchstack:

• Report vulnerabilities: https://patchstack.com/database/vdp/wp-fusion-lite
• View our security profile: https://patchstack.com/database/wordpress/plugin/wp-fusion-lite

For urgent security matters, you may also contact us directly at [email protected]

8.0 Revision History

Date	Description of Change	Reviewer
August 2025	Initial policy creation for Klaviyo marketplace submission	CTO

9.0 Related Documents

• WP Fusion Privacy Policy: https://wpfusion.com/privacy-policy/
• WP Fusion Documentation: https://wpfusion.com/documentation/
• WP Fusion Patchstack Security Profile: https://patchstack.com/database/wordpress/plugin/wp-fusion-lite
• Vultr Compliance and Security: https://www.vultr.com/legal/compliance/
• Patchstack Vulnerability Disclosure Program: https://patchstack.com/database/vdp/
• WordPress Security Best Practices: https://developer.wordpress.org/apis/security/
• OWASP Top 10: https://owasp.org/www-project-top-ten/

10.0 Appendix A: CRM Integration Security Matrix

Due to the extensive number of CRM integrations (60+), WP Fusion maintains a security matrix documenting:

• Authentication methods for each CRM
• Encryption requirements
• API rate limits
• Data transmission protocols
• Specific security considerations

This matrix is regularly updated and available to customers upon request.

11.0 Appendix B: Incident Response Procedures

11.1 Security Incident Classification

• Critical: Remote code execution, authentication bypass, data breach
• High: SQL injection, XSS with significant impact, privilege escalation
• Medium: Limited XSS, information disclosure, CSRF
• Low: Minor information leakage, deprecated function usage

11.2 Response Times

• Critical: Immediate response, patch within 24 hours
• High: Response within 24 hours, patch within 48 hours
• Medium: Response within 48 hours, patch within 7 days
• Low: Addressed in next regular release cycle

11.3 Communication Plan

• Security advisories coordinated with Patchstack for responsible disclosure timing
• Patches released before public vulnerability details are disclosed
• Security advisories posted to wpfusion.com
• Email notification to affected customers
• Updates pushed through WordPress.org repository (for Lite version)
• Direct customer portal notifications (for Pro version)
• Patchstack database updated with patch information

---

This document represents Very Good Plugins, LLC’s commitment to maintaining the highest standards of information security for the WP Fusion plugin and its users.