Skip to Main Content

Security Statement

: April 3, 2023

Web2 is a product of
Lynch Incorporated (L2)

Security is a top priority for Web2. This site provides a high-level overview of our security practices for all of our web hosting solutions. Have questions or feedback? Feel free to reach out to us at


Cloud infrastructure
  • All of our services run in the cloud. We don't host or run our own routers, load balancers, DNS servers, or physical servers. Our services are built on Amazon Web Services and Kinsta/Google Cloud. They provide strong security measures to protect our infrastructure and are compliant with most certifications. You can read more about their practices here: AWS and Kinsta
  • We use Infrastructure as Code and Kinsta tooling to provision and manage cloud infrastructure and services. This gives us consistent, repeatable, and fast provisioning of development, test, and production environments.

Network level security protection

Our network security architecture consists of multiple security layers. We protect our networks to make sure no unauthorized access is performed using a mixture of these solutions:

  • Containerized environment isolated from other applications.
  • A virtual private cloud (VPC), and a bastion host or VPN with network access control lists (ACL's).
  • A firewall that monitors and controls incoming and outgoing network traffic.
  • Cloudflare Enterprise security.
  • We use an application firewall solution to monitor and block potential malicious packets.
  • IP address filtering.

Data encryption

Encryption in transit
  • All data sent to or from our infrastructure is encrypted in transit via industry best-practices using Transport Layer Security (TLS) v1.2 or higher.
Encryption at rest
  • All of our sensitive user data (including passwords) is encrypted in the database.

Data retention and removal

Business continuity and disaster recovery

  • We back up all our critical assets and regularly attempt to restore the backup to guarantee a fast recovery in case of disaster.

Application security

  • We have configured a web application firewall (AWS WAF, Cloudflare Enterprise WAF) in front of our web servers to help protect web applications from attacks.
  • We use a security monitoring solution to get visibility into our application security, identify attacks and respond quickly to a data breach.
  • We use technologies to monitor exceptions, logs and detect anomalies in our applications.
  • We collect and store logs to provide an audit trail of our applications activity.
  • We check input fields for proper typing and to prevent insecure input.

Secure development

  • We have a culture that encourages open discussion about security. Developers share best practices about common vulnerabilities and threats.
  • We review our code for security vulnerabilities.
  • We regularly update our dependencies and make sure none of them has known vulnerabilities.



  • We're compliant to the General Data Protection Regulation (GDPR). The purpose of GDPR is to protect the private information of EU citizens and give them more control over their personal data. Contact us for more details on how we comply to GDPR.

Payment information

  • Payment processing is safely outsourced to Stripe, WorldPay, Windcave, and Tessitura Merchant Services which are certified as a PCI Level 1 Service Provider. We don't collect any payment information. SAQ-A
  • Legacy Payment Processing is handled under our PCI compliance in our CDE. SAQ-D

Employee access

  • Our strict internal procedure prevents any employee or administrator from gaining access to user data. Limited exceptions can be made for customer support.
  • We practice the Principle of Least Privilege to minimize the risk of our environment being compromised.
  • All our employees sign a Non-Disclosure and Confidentiality Agreement when joining the company to protect our customers' sensitive information.

Tessitura Data

  • All constituent data is stored in our client's Tessitura system.
  • We do not store your constituent data. We only access the data through the Tessitura API.
  • You control the amount of access we have via the Tessitura security application.
  • By default, we do not move any constituent data, institutional data or marketing content (text, images, seasons, productions, etc…) that is stored in our clients Tessitura system into WordPress, you control and automate that data.
  • We do not permanently store your constituent or institutional data.
  • Data that is transferred is in memory, encrypted and is ephemeral.
  • Constituent web session data is not permanently stored and is destroyed at the end of the session.

WordPress Data

  • All marketing content (text , images, seasons, productions, etc…) used for the website is stored in WordPress.
  • WordPress will handle any data that you choose to push into WordPress.
  • By default, we do not move any marketing content (text , images, seasons, productions, etc…) that is stored in our clients WordPress account into Tessitura.


Legacy Data

  • All PII data stored is encrypted in transit and at rest.