Convictional is committed to ensuring that the order, partner and product data that lives in our services is owned and controlled by you. We continue to improve how we handle security.
We follow current security best practice when it comes to sensitive credentials. Important database credentials and other private keys are retained only by the security officer of the corporation. All services that use these keys do so in a way that is secure. All staff accounts across services with sensitive access are reviewed by the CEO and require 2-factors of authentication to prevent unauthorized access.
Convictional services are built on top of Google Cloud Platform Here is a microsite where you can learn more about the security of Google Cloud. We connect with third-party payment gateways like Stripe to store sensitive payment information and we retain only the ability to change your customers on your behalf but not their (or your) payment information.
Our database is backed up on a rolling basis four times a day with offsite redundant backups. The database itself is encrypted at rest, meaning that even if someone was able to breach our cloud services provider, the data would require authentication in order to be decrypted. No static data is retained on development or staff machines. We will never sell or allow third-parties access to your data. Every action we perform is logged and accessible. No one here can see what your password is and it is stored encrypted.
We store the following consumer personally identifyable information so that our customers can ship orders on behalf of their customers:
Postal or zip code
Region, province or state
Our customers can choose to delete archived orders, which removes all PII listed above from our system permanently.
We do not store the following: email address, phone number, IP address or any other consumer PII.
Access to all Convictional services is encrypted in transit through SSL. This includes the admin application, requests and responses from our API, our help and API documentation, our website and our communications. Many Convictional services are not exposed to the internet at all. When we connect with third-party services on your behalf, we always force encrypted connections according to best practice.
Support cannot access sensitive business documents in your system and your approval is required to connect to your commerce platform or manage documents in your account. This creates a bit more friction for us when we provide you support but the trade off is that none of us know what is happening in your account unless you approve access. Anyone with the ability to gain this access is trained for compliance.
We will investigate all security issues that are reported. Please email us: firstname.lastname@example.org. We will respond as soon as we can. We request that you not disclose the issue until we are able to respond.
We are open to awarding researchers or users who help to identify security issues in our application. If we take an action as a result of your disclosure, we will compensate you according to the severity of the disclosure and the time it took to complete. Please provide relevant details when notifying us.