Data Protection and Retention Policy
Data Protection and Retention Policy
1. Data Retention
This website only retains Personally Identifiable Information for shipping purposes up until the time the item has shipped. No information on a particular customer is stored for more than 30 days, and upon shipping all information is permanently removed from storage. No customer information is backed up except your purchase reference information. "Personally Identifiable Information" ("PII") means information that can be used on its own or with other information to identify, contact, or locate an individual.
2. Network and Physical Security
Access to this website's code and database are restricted behind firewall, shared keys, and encryption. The physical location of the server is protected by multiple layers of keypass and security checks. Regular review of all access logs are performed by the System Administrator, and protected by employment restricted access which is regularly reviewed. In addition regular scans using Nessus security software are performed against the I.T. Infrastructure. All access is restricted to individual accounts, there are no shared accounts used to access PII or any other information.
Data-in-transit is always encrypted and follows modern standards enforced by PCI Compliance. In addition all backend traffic is encrypted and maintains updated CA authorities and PCI Compliant encryption standards.
3. PII Encryption
Until product is shipped all PII resting in the database is encrypted, and inaccessible from the main website database. In addition access to decrypted PII (until the product ships) is protected by unique accounts per-employee. Employee audits and peer reviews are done on a bi-annual basis. Upon termination, employee access is immediately revoked.
4. Request For Deletion
All integrations and use of PII or other information from Third Party software may be requested for deletion by contacting firstname.lastname@example.org
5. Incident Response
Detailed response plans are maintained, updated, and made available on request to Third Party vendors by contacting email@example.com. Upon security incident, the System Administrator will backup all logging information, block access to affected devices and information, and assess the breach. Protocol for incident response is determined by the extent of the security breach. Escalation to a Third Party will occur if:
- Access to the Third Party via API, keys, or stored data is breached
- Access to PII or other information provided by the Third Party is accessed or decrypted
If a breach of security to Third Party (Facebook, Amazon, Shopify) environment occurs, the Third Party will be notified immediately upon discovery, and access to the Third Party will be temporarily disabled until the reason and depth of the breach is discovered. All logs containing access to the server environment are saved permanently in case of audit. No PII is contained in the logs, though IP address of the access request producing the log is maintained.
6. Logging and Monitoring
The server environment is logged and monitored 24 hours a day, 7 days a week. Irregularities in access logs are immediately alerted to the System Administrator by log monitoring software. In the case of a detected intrusion, firewall and security software immediately blocks the offending connection until review by the System Administrator. Logs are maintained permanently, and contain no PII. Any incident detected and escalated in the logging or monitoring software are inspected and then noted to the incident log by the System Administrator. PCI Compliance requirements for processing credit card transactions are audited and maintained by the System Administrator. Access to audit logs or historical logging may be requested by any Third Party in connection with the website, requests may be directed to firstname.lastname@example.org