Security

Convictional is committed to ensuring that the order, partner and product data that lives in our services is owned and controlled by you. We continue to improve how we handle security.

Security Policies

We follow current security best practice when it comes to sensitive credentials. Important database credentials and other private keys are retained only by the security officer of the corporation. All services that use these keys do so in a way that is secure. All staff accounts across services with sensitive access are reviewed by the CEO and require 2-factors of authentication to prevent unauthorized access, internally or externally.

Architecture

Convictional services are built on top of Amazon Web Services and we use various AWS products. Here is a microsite where you can learn more about the security of AWS. We connect with third-party payment gateways like Stripe and Apruve to store sensitive payment information and we retain only the ability to change your customers on your behalf but not their (or your) payment information.

Customer Data

Our entire database is backed up on a rolling basis four times a day with offsite redundant backups. The database itself is encrypted at rest, meaning that even if someone was able to breach our cloud services provider, the data would require authentication in order to be decrypted. No static data is retained on development or staff machines. We will never sell or allow third-parties access to your data. Every action we perform is logged and accessible from your admin when you log in. No one here can see what your password is and it is stored encrypted.

Transit

Access to all Convictional services is encrypted in transit through SSL. This includes the admin application, requests and responses from our API, our help and API documentation, our website and our communications. Many Convictional services are not exposed to the internet at all. When we connect with third-party services on your behalf, we always force encrypted connections according to current security best practice.

Support

Support cannot access sensitive business documents in your system and your approval is required to connect to your commerce platform or manage documents in your account. This creates a bit more friction for us when we provide you support but the trade off is that none of us know what is happening in your account unless you approve access. Anyone with the ability to gain this access is trained to ensure compliance.