Security

2. Data Encryption

2.1 Data in Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.3 (or TLS 1.2 minimum). We enforce HTTPS for all connections and use HSTS (HTTP Strict Transport Security) to prevent downgrade attacks.

2.2 Data at Rest: Data stored in our databases and file systems is encrypted using AES-256 encryption. Encryption keys are managed through secure key management systems with automatic rotation.

2.3 API Communications: All API communications between our systems and Third-Party Providers are encrypted and authenticated using secure tokens and certificates.

3. Authentication and Access Control

3.1 User Authentication:

• Secure password hashing using bcrypt with appropriate work factors
• Optional two-factor authentication (2FA) for enhanced account security
• Rate limiting on authentication attempts to prevent brute force attacks
• Secure session management with automatic timeout

3.2 Password Requirements:

• Minimum 8 characters with complexity requirements
• Password strength indicators during registration
• Password reset through secure, time-limited email links
• Protection against common and compromised passwords

3.3 Internal Access Control:

• Role-based access control (RBAC) for all internal systems
• Principle of least privilege for employee access
• Multi-factor authentication required for all administrative access
• Regular access reviews and immediate revocation upon role changes

4. Application Security

4.1 Secure Development:

• Secure coding practices following OWASP guidelines
• Code review requirements for all changes
• Automated security scanning in CI/CD pipeline
• Regular dependency updates and vulnerability scanning

4.2 Input Validation:

• Server-side validation for all user inputs
• Protection against SQL injection, XSS, and CSRF attacks
• Content Security Policy (CSP) headers
• Input sanitization and output encoding

4.3 Security Testing:

• Regular vulnerability assessments
• Penetration testing by qualified third parties
• Responsible disclosure policy for security researchers
• Automated security testing in development workflow

5. Shopify Integration Security

When you access ecomVance through the Shopify App Store, additional security measures are in place to protect the integration between your Shopify store and our services.

5.1 Store-Specific API Credentials:

• Unique Credentials: Each Shopify store receives unique API credentials (api_key and api_secret) upon app installation
• Secret Hashing: API secrets are hashed using SHA-256 before storage; we never store plaintext API secrets in our database
• Credential Rotation: API secrets are regenerated on each app reinstallation for enhanced security
• Credential Format: API keys use a distinct format (ev_shop_xxx) for easy identification and audit logging

5.2 Master API Key Authentication:

• Plugin Authentication: The Shopify plugin authenticates with our backend using a master API key during initial store connection
• Environment Variables: Master API keys are stored as environment variables, never in source code
• Key Validation: All requests are validated against the master key before store credentials are issued

5.3 Shopify Session Token Validation:

• App Bridge Integration: ecomVance validates Shopify session tokens using the Shopify App Bridge framework
• JWT Verification: Session tokens are cryptographically verified to ensure authenticity
• Token Expiration: Session tokens have short expiration times to minimize the window of vulnerability

5.4 Webhook Security:

• HMAC Verification: All incoming Shopify webhooks are verified using HMAC-SHA256 signatures
• Webhook Secret: Webhook secrets are unique per store and securely stored
• GDPR Webhooks: We implement mandatory GDPR webhooks (shop/redact) to ensure compliance with Shopify's data protection requirements

5.5 Data Isolation:

• Store Separation: Each Shopify store's data is logically isolated using store-specific identifiers
• Access Control: API credentials only grant access to the associated store's data
• Credit Isolation: Plan credits and package credits are tracked separately per store

5.6 CORS and Origin Validation:

• Allowed Origins: API endpoints only accept requests from approved Shopify domains (*.myshopify.com, admin.shopify.com, *.shopify.com)
• Preflight Handling: Proper CORS preflight request handling for secure cross-origin communication
• CDN Domains: Shopify CDN domains are whitelisted for image processing operations

6. Monitoring and Incident Response

6.1 Security Monitoring:

• 24/7 automated security monitoring and alerting
• Real-time threat detection and anomaly identification
• Log aggregation and analysis for security events
• Network traffic monitoring for suspicious patterns
• User behavior analytics for insider threat detection

6.2 Logging and Auditing:

• Comprehensive audit logging of all security-relevant events
• Log integrity protection to prevent tampering
• Log retention for compliance and forensic purposes
• Regular log review and analysis

6.3 Incident Response:

• Response Team: Dedicated security incident response team with defined roles and responsibilities
• Response Plan: Documented incident response procedures for various threat scenarios
• Notification: Prompt notification to affected users in case of security breaches as required by law
• Post-Incident: Thorough post-incident analysis and improvement implementation

6.4 Business Continuity:

• Regular backup procedures with tested recovery processes
• Disaster recovery planning and testing
• Redundant systems to ensure service availability
• Documented business continuity procedures

7. Physical Security

7.1 Data Center Security: Our cloud infrastructure providers maintain SOC 2 certified data centers with:

• 24/7 physical security with access controls and monitoring
• Biometric access controls and multi-factor authentication for data center entry
• Video surveillance with retention of security footage
• Environmental controls including fire suppression and climate management

7.2 Office Security:

• Physical access controls to office facilities
• Secure workstation policies including screen locking and encryption
• Clean desk policy for sensitive documents
• Secure disposal of physical media and documents

8. Employee Security

8.1 Personnel Security:

• Background checks for employees with access to sensitive systems or data
• Confidentiality agreements and security policies acknowledged by all employees
• Regular security awareness training
• Clear security responsibilities defined in job descriptions

8.2 Access Management:

• Principle of least privilege for all employee access
• Regular access reviews and prompt deprovisioning upon termination
• Multi-factor authentication required for all employee accounts
• Separate administrative accounts for privileged operations

8.3 Security Training:

• Mandatory security awareness training for all new employees
• Annual security refresher training
• Phishing awareness and testing programs
• Role-specific security training for developers and administrators

9. Compliance and Certifications

9.1 Regulatory Compliance:

• GDPR: Full compliance with the EU General Data Protection Regulation
• CCPA: Compliance with the California Consumer Privacy Act
• KVKK: Compliance with Turkish Personal Data Protection Law
• UK GDPR: Compliance with the UK General Data Protection Regulation

9.2 Infrastructure Certifications:

• Our infrastructure providers maintain SOC 2 Type II certification
• ISO 27001 certified infrastructure
• PCI DSS compliance for payment processing

9.3 Security Assessments:

• Regular third-party security assessments and penetration testing
• Annual security audit and compliance review
• Continuous vulnerability assessment program
• Bug bounty program for responsible disclosure (planned for future)

10. User Security Responsibilities

10.1 Account Security: While we implement comprehensive security measures, you play a crucial role in protecting your account:

• Use a strong, unique password for your ecomVance account
• Enable two-factor authentication when available
• Never share your login credentials with others
• Keep your recovery information up to date
• Log out when using shared or public devices

10.2 Reporting Security Issues:

• Report any suspected security vulnerabilities to our security team immediately
• Do not attempt to exploit or test vulnerabilities without authorization
• Provide detailed information to help us investigate and resolve issues

10.3 Suspicious Activity:

• Report any unauthorized access or suspicious activity on your account
• Be vigilant against phishing attempts claiming to be from ecomVance
• Verify the authenticity of any communication requesting sensitive information

11. Security Updates and Communication

11.1 Policy Updates: We may update this Security Policy periodically to reflect changes in our security practices, technology, or legal requirements. Material changes will be communicated through our website and email notifications.

11.2 Security Advisories: In the event of security incidents that may affect your data or account, we will notify you promptly through email and our platform's notification system.

11.3 Transparency: We are committed to transparency about our security practices and will provide updates about significant security improvements or changes.

12. Contact Information

For security-related questions, concerns, or to report a security vulnerability, please contact:

ecomVance Support:
Email: hello@ecomvance.ai

BEY AGENCY LTD (Parent Company):
Email: hi@bey.agency
Website: https://bey.agency/
Address: Suite 90415 Brayford Square, London, United Kingdom, E1 0SG
Company Number: 16435596