Security

Convictional is committed to ensuring that the order, partner and product data that lives in our services is owned and controlled by you. We continue to improve how we handle security.

Security Policies

We follow current security best practice when it comes to sensitive credentials. Important database credentials and other private keys are retained only by the security officer of the corporation. All services that use these keys do so in a way that is secure. All staff accounts across services with sensitive access are reviewed by the CEO and require 2-factors of authentication to prevent unauthorized access, internally or externally.

Architecture

Convictional services are built on top of Amazon Web Services and we use various Google Cloud products. Here is a microsite where you can learn more about the security of Google Cloud. We connect with third-party payment gateways like Stripe and Apruve to store sensitive payment information and we retain only the ability to change your customers on your behalf but not their (or your) payment information.

Our Customer Data

Our database is backed up on a rolling basis four times a day with offsite redundant backups. The database itself is encrypted at rest, meaning that even if someone was able to breach our cloud services provider, the data would require authentication in order to be decrypted. No static data is retained on development or staff machines. We will never sell or allow third-parties access to your data. Every action we perform is logged and accessible from your admin when you log in. No one here can see what your password is and it is stored encrypted.

Consumer Data

We store the following consumer personally identifyable information so that our customers can ship orders on behalf of their customers:

  • First name
  • Last name
  • Street address
  • Postal or zip code
  • Region, province or state
  • Country

Our customers can choose to delete archived orders, which removes all PII listed above from our system permanently.

We do not store the following: email address, phone number, IP address or any other PII with respect to consumers.

Transit

Access to all Convictional services is encrypted in transit through SSL. This includes the admin application, requests and responses from our API, our help and API documentation, our website and our communications. Many Convictional services are not exposed to the internet at all. When we connect with third-party services on your behalf, we always force encrypted connections according to current security best practice.

Support

Support cannot access sensitive business documents in your system and your approval is required to connect to your commerce platform or manage documents in your account. This creates a bit more friction for us when we provide you support but the trade off is that none of us know what is happening in your account unless you approve access. Anyone with the ability to gain this access is trained to ensure compliance.

Security disclosures

We will investigate all security issues that are reported. Please email us: support@convictional.com. We will respond as soon as we can. We request that you not disclose the issue until we are able to respond to you about it.

We are open to awarding researchers or users who help to identify security issues in our application. If we take an action as a result of your disclosure, we will compensate you according to the severity of the disclosure and the time it took to complete. Please provide relevant details when notifying us.