ESM Branding | Shopify TOMs
2685
page-template,page-template-full_width,page-template-full_width-php,page,page-id-2685,page-child,parent-pageid-791,qode-listing-1.0.1,qode-social-login-1.0,qode-news-1.0,qode-quick-links-1.0,qode-restaurant-1.0,ajax_fade,page_not_loaded,,qode-title-hidden,qode_grid_1300,qode-content-sidebar-responsive,qode-theme-ver-12.1.1,qode-theme-bridge,bridge,wpb-js-composer js-comp-ver-6.6.0,vc_responsive

ESM Branding Ltd (“we”; “us”) is committed to protecting and respecting your data in relation to the services we provide through the Shopify e-commerce platform.
This page contains all the Technical and Organisational Measures for third parties that may have access to your data via any Shopify store constructed and managed by ESM Branding Ltd.

For further information on any of the third parties listed below, please get in touch.

Shopify Inc., Shopify International Limited, Shopify (Australia) Pty. Ltd., Shopify Commerce India Pvt. Ltd, Shopify (Japan), Shopify Commerce Singapore Pte. Ltd., Shopify UK Ltd., Shopify Commerce New Zealand Ltd.

Shopify Technical measures:

Shopify encrypts credit card information in transit and at rest, and is PCI compliant.

– Shopify maintains a SOC 2 Type II and SOC 3 report2 (attached)

– Shopify conducts regular third-party penetration testing and vulnerability assessments.

– Shopify participates in a bug-bounty program to receive security reports.

– Employee access to Shopify infrastructure is controlled by a Single Sign-On account with two-factor authentication required (2FA).

– Shopify maintains employee internal access policies based on “least privilege”

 – Shopify provides merchants with the technical capability to honor all data subject requests.

– All merchant personal data is redacted after account termination, unless we are legally required to retain information for a specified period of time.

Shopify Organizational measures:

Shopify publicly commits to object to any voluntary disclosure of data it holds, unless it is legally bound to produce information. When possible, Shopify commits to informing merchants of third party requests to access their data.

– Shopify publishes an annual Transparency Report detailing when Shopify is legally required to produce information.

– All Shopify employees receive privacy and security training.

– Shopify incident response teams are on-call 24 hours a day.

– All Shopify employees and contractors agree to confidentiality clauses in their employment contracts, and agree to abide by Shopify’s internal data protection policies.

– Shopify maintains an internal Privacy Working Group which raises and resolves privacy issues across the organization. If needed, issues are escalated to a Privacy Committee and the Board of Directors.

– Shopify does not knowingly disclose (or permit access to) the personal data it processes in a massive, disproportionate and indiscriminate manner to (or by) any governmental authority.

Amazon AWS

At AWS, our highest priority is securing our customers’ data, and we implement rigorous contractual, technical and organizational measures to protect its confidentiality, integrity, and availability regardless of which AWS Region a customer has selected.

AWS complies with ISO 27018, a code of practice that focuses on protection of personal data in the cloud. It extends ISO information security standard 27001 to cover the regulatory requirements for the protection of personally identifiable information (PII) or personal data for the public cloud computing environment and specifies implementation guidance based on ISO 27002 controls that is applicable to PII processed by public cloud service providers. For more information, or to view the AWS ISO 27018 Certification, see the AWS ISO 27018 Compliance webpage.

Additionally, AWS publishes a SOC 2 Type I Privacy report, based on the SOC 2 Privacy Trust Principle, developed by the American Institute of CPAs (AICPA), which establishes criteria for evaluating controls related to how personal data is collected, used, retained, disclosed, and disposed to meet the entity’s objectives. The AWS SOC 2 Privacy Type I report provides third-party attestation of our systems and the suitability of the design of our privacy controls, as stated in our Privacy Notice. The scope of the privacy report includes information about how we handle the content that you upload to AWS and how it is protected in all of the services and locations that are in scope for the latest
AWS SOC reports. The SOC 2 Type I Privacy report can be downloaded through AWS Artifact in the AWS Management Console.

Many requirements under the GDPR focus on ensuring effective control and protection of personal data. AWS services give you the capability to implement your own security measures in the ways you need in order to enable your compliance with the GDPR, including specific measures such as:

  • Encryption of personal data
  • Ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services
  • Ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
  • Processes for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of processing

More information on Amazon AWS data policy here – https://aws.amazon.com/compliance/gdpr-center/

You may also wish to read the Amazon Data Protection Agreement – https://aws.amazon.com/legal/online-data-processing-agreement/

SmartBear (Formerly Bugsnag)

SmartBear has implemented and will maintain commercially reasonable technical and organizational measures to protect Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access.  Having regard to the state of the art and the cost of their implementation, SmartBear agrees that such measures shall ensure a level of security appropriate to the risks represented by the Processing and the nature of Personal Data to be protected. SmartBear may update the technical and organizational measures from time to time in light of technical development.

Technical and Organizational Measures:

SmartBear implements and maintains industry standard technical and organizational measures to protect the security of Personal Data that it processes in connection with its Services.  Such measures include, as appropriate to the nature of the Personal Data procesed, but are not limited, to:

  • Firewall protections
  • Access controls
  • Protections against viruses and malware
  • Implementation of security settings
  • Implementation of updates to fix bugs and security vulnerabilities
  • Regular data backups

More information on SmartBear data processing here – https://smartbear.com/legal/data-processing-addendum/

You may also wish to read their Standard Contractual Clauses – https://docs.bugsnag.com/assets/pdf/bugsnag_inc_standard_contractual_clauses.pdf

Cloudflare

With respect to all Personal Data it processes in its role as a Processor or sub-Processor, Cloudflare warrants that it shall:

Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks that are presented by the processing of Personal Data, in particular protection against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data. Such measures include, without limitation, the security measures set out in Annex 2 (“Security Measures”). Customer acknowledges that the Security Measures are subject to technical progress and development and that Cloudflare may update or modify the Security Measures from time to time, provided that such updates and modifications do not degrade or diminish the overall security of the Service;

Cloudflare has implemented and shall maintain an information security program in accordance with ISO/IEC 27000 standards. Cloudflare’s security program shall include:

Measures of encryption of Personal Data

Cloudflare implements encryption to adequately protect Personal Data using:

  • state-of-the-art encryption protocols designed to provide effective protection against active and passive attacks with resources known to be available to public authorities;
  • trustworthy public-key certification authorities and infrastructure;
  • effective encryption algorithms and parameterization, such as a minimum of 128-bit key lengths for symmetric encryption, and at least 2048-bit RSA or 256-bit ECC key lengths for asymmetric algorithms.

Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services

Cloudflare enhances the security of processing systems and services in production environments by:

  • employing a code review process to increase the security of the code used to provide the Services; and testing code and systems for vulnerabilities before and during use;
  • maintaining an external bug bounty program;
  • using checks to validate the integrity of encrypted data, and
  • employing preventative and reactive intrusion detection.

Cloudflare deploys high-availability systems across geographically-distributed data centers.

Cloudflare implements input control measures to protect and maintain the confidentiality of Personal Data including:

  • an authorization policy for the input, reading, alteration and deletion of data;
  • authenticating authorized personnel using unique authentication credentials (passwords) and hard tokens;
  • automatically signing-out user IDs after a period of inactivity;
  • protecting the input of data, as well as the reading, alteration and deletion of stored data; and
  • requiring that data processing facilities (the rooms housing the computer hardware and related equipment) are kept locked and secure.

Measures for ensuring the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident

Cloudflare implements measures to ensure that Personal Data is protected from accidental destruction or loss, including by maintaining:

  • disaster-recovery and business continuity plans and procedures;
  • geographically-distributed data centres;
  • redundant infrastructure, including power supplies and internet connectivity;
  • backups stored at alternative sites and available for restore in case of failure of primary systems; and
  • incident management procedures that are regularly tested.

Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing

Cloudflare’s technical and organisational measures are regularly tested and evaluated by external third-party auditors as part of Cloudflare’s Security & Privacy Compliance Program. These may include annual ISO/IEC 27001 audits; AICPA SOC 2 Type II; PCI DSS Level 1; and other external audits. Measures are also regularly tested by internal audits, as well as annual and targeted risk assessments.

Measures for user identification and authorisation

Cloudflare implements effective measures for user authentication and privilege management by:

  • applying a mandatory access control and authentication policy;
  • applying a zero-trust model of identification and authorisation;
  • authenticating authorized personnel using unique authentication credentials and strong multi-factor authentication, including requiring the use of physical hard tokens;
  • allocating and managing appropriate privileges according to role, approvals, and exception management; and
  • applying the principle of least privilege access.

Measures for the protection of data during transmission

Cloudflare implements effective measures to protect Personal Data from being read, copied, altered or deleted by unauthorized parties during transmission, including by:

  • using state-of-the-art transport encryption protocols designed to provide effective protection against active and passive attacks with resources known to be available to public authorities;
  • using trustworthy public-key certification authorities and infrastructure;
  • implementing protective measures against active and passive attacks on the – sending and receiving systems providing transport encryption, such as adequate firewalls, mutual TLS encryption, API authentication, and encryption to protect the gateways and pipelines through which data travels, as well as testing for software vulnerabilities and possible backdoors;
  • employing effective encryption algorithms and parameterization, such as a minimum of 128-bit key lengths for symmetric encryption, and at least 2048-bit RSA or 256-bit ECC key lengths for asymmetric algorithms;
  • using correctly implemented and properly maintained software, covered under a vulnerability management program, and tested for conformity by auditing;
  • enforcing secure measures to reliably generate, manage, store and protect encryption keys; and
  • audit logging, monitoring, and tracking data transmissions.

Measures for the protection of data during storage

Cloudflare implements effective measures to protect Personal Data during storage, controlling and limiting access to data processing systems, and by:

  • using state-of-the-art encryption protocols designed to provide effective protection against active and passive attacks with resources known to be available to public authorities;
  • using trustworthy public-key certification authorities and infrastructure;
  • testing systems storing data for software vulnerabilities and possible backdoors;
  • employing effective encryption algorithms and parameterization, such as requiring all disks storing Personal Data to be encrypted with AES-XTS using a key length of 128-bits or longer.
  • using correctly implemented and properly maintained software, covered under a vulnerability management program, and tested for conformity by auditing;
  • enforcing secure measures to reliably generate, manage, store and protect encryption keys;
  • identifying and authorizing systems and users with access to data processing systems;
  • automatically signing-out users after a period of inactivity; and
  • audit logging, monitoring, and tracking access to data processing and storage systems.

Cloudflare implements access controls to specific areas of data processing systems to ensure only authorized users are able to access the Personal Data within the scope and to the extent covered by their respective access permission (authorization) and that Personal Data cannot be read, copied or modified or removed without authorization. This shall be accomplished by various measures including:

  • employee policies and training in respect of each employee’s access rights to the Personal Data;
  • applying a zero-trust model of user identification and authorisation;
  • authenticating authorized personnel using unique authentication credentials and strong multi-factor authentication, including requiring the use of physical hard tokens;
  • monitoring actions of those authorised to delete, add or modify Personal Data;
  • release data only to authorized persons, including the allocation of differentiated access rights and roles; and
  • controlling access to data, with controlled and documented destruction of data.

Measures for ensuring physical security of locations at which Personal Data are processed

Cloudflare maintains and implements effective physical access control policies and measures in order to prevent unauthorized persons from gaining access to the data processing equipment (namely database and application servers, and related hardware) where the Personal Data are processed or used, including by:

  • establishing secure areas;
  • protecting and restricting access paths;
  • establishing access authorizations for employees and third parties, including the respective documentation;
  • all access to data centers where Personal Data are hosted are logged, monitored, and tracked; and
  • data centers where Personal Data are hosted are secured by security alarm systems, and other appropriate security measures.

Measures for ensuring events logging

Cloudflare has implemented a logging and monitoring program to log, monitor and track access to personal data, including by system administrators and to ensure data is processed in accordance with instructions received. This is accomplished by various measures, including:

  • authenticating authorized personnel using unique authentication credentials and strong multi-factor authentication, including requiring the use of physical hard tokens;
  • applying a zero-trust model of user identification and authorisation;
  • maintaining updated lists of system administrators’ identification details;
  • adopting measures to detect, assess, and respond to high-risk anomalies;
  • keeping secure, accurate, and unmodified access logs to the processing infrastructure for twelve months; and
  • testing the logging configuration, monitoring system, alerting and incident response process at least once annually.

Measures for ensuring system configuration, including default configuration

Cloudflare maintains configuration baselines for all systems supporting the production data processing environment, including third-party systems. Configuration baselines should align with industry best practices such as the Center for Internet Security (CIS) Level 1 benchmarks. Automated mechanisms must be used to enforce baseline configurations on production systems, and to prevent unauthorized changes. Changes to baselines are limited to a small number of authorized Cloudflare personnel, and must follow change control processes. Changes must be auditable, and checked regularly to detect deviations from baseline configurations.

Cloudflare configures baselines for the information system using the principle of least privilege. By default, access configurations are set to “deny-all,” and default passwords must be changed to meet Cloudflare’s policies prior to device installation on the Cloudflare network, or immediately after software or operating system installation. Systems are configured to synchronize system time clocks based on International Atomic Time or Coordinated Universal Time (UTC), and access to modify time data is restricted to authorized personnel.

Measures for internal IT and IT security governance and management

Cloudflare maintains internal policies on the acceptable use of IT systems and general information security. Cloudflare requires all employees to undertake general security and privacy awareness training at least every year. Cloudflare restricts and protects the processing of Personal Data, and has documented and implemented:

  • a formal Information Security Management System (ISMS) in order to protect the confidentiality, integrity, authenticity, and availability of Cloudflare’s data and information systems, and to ensure the effectiveness of security controls over data and information systems that support operations; and
  • a formal Privacy Information Management System (PIMS) in order to protect the confidentiality, integrity, authenticity, and availability of the policies and procedures supporting Cloudflare’s global managed network, as both a processor and a controller of customer information.

Cloudflare will keep documentation of technical and organizational measures in case of audits and for the conservation of evidence. Cloudflare shall take reasonable steps to ensure that persons employed by it, and other persons at the place of work concerned, are aware of and comply with the technical and organizational measures set forth in this Annex 2.

Measures for certification/assurance of processes and products

The implementation of Cloudflare’s ISMS and related security risk management processes have been externally certified to the industry-standard ​​ISO/IEC 27001. The implementation of Cloudflare’s comprehensive PIMS has been externally certified to the industry-standard ​​ISO/IEC 27701, as both a processor and controller of customer information.

Cloudflare maintains PCI DSS Level 1 compliance for which Cloudflare is audited annually by a third-party Qualified Security Assessor. Cloudflare has undertaken other certifications such as the AICPA SOC 2 Type II certification in accordance with the AICPA Trust Service Criteria, and details of these and other certifications that Cloudflare may undertake from time to time will be made available on Cloudflare’s website.

Fastly

Fastly services by default do not process personal data other than IP addresses to route requests and deliver content.

Fastly will maintain administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Personal Data as described in the Security Measures applicable to the specific Services purchased by data exporter, as updated from time to time, and accessible via https://docs.fastly.com/guides/security-measures/ or otherwise made reasonably available by Fastly.

Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing

Fastly’s Security Measures are regularly tested and evaluated by third-party auditors, including as part of annual AICPA SOC 2 Type 2 and PCI DSS Level 1 audits. Fastly also conducts internal audits and risk assessments.

More information on Fastly data processing here – https://www.fastly.com/data-processing

Google Maps, Google Cloud Platform

Where Google acts as a data processor, Google commits to implementing and maintaining technical and organisational measures providing an appropriate level of security, as specified in Appendix 2 of the Google Ads Data Processing Terms, and to ensuring appropriate security compliance by its staff. The measures specified in the Google Ads Data Processing Terms include measures to encrypt personal data; to help ensure ongoing confidentiality, integrity, availability and resilience of Google’s systems and services; to help restore timely access to personal data following an incident; and for regular testing of effectiveness. Google further commits to notifying customers of any data incidents without undue delay and to promptly take steps to secure any affected data. Where Google acts as a data controller, Google contractually commits in the Google Ads Controller-Controller Data Protection Terms to comply with its GDPR obligations, which include its security obligations in Article 32 of the GDPR. In addition, when it acts as data importer, Google commits in the SCCs to implementing and maintaining technical and organisational security measures that are appropriate to the risks presented by the processing.

Google has a robust set of policies and technical and organisational controls in place to ensure the separation between pseudonymous online identifiers and personally identifiable user data (i.e. information that could be used on its own to directly identify, contact, or precisely locate an individual), such as a user’s Google account data. Technical protection measures for keeping pseudonymous online identifiers separate from identifiable user data include the encryption of identifiers with rotating keys.

More information on Google Maps data processing here – https://cloud.google.com/terms/data-processing-terms

and their safeguards for international data transfers here – https://services.google.com/fh/files/misc/safeguards_for_international_data_transfers.pdf

Splunk

Splunk employs technical and organizational measures to protect customer data and has certified its Splunk Cloud service to industry leading security standards, such as SOC2 Type II and ISO 27001.  Splunk also offers heightened security standards for those customers who require Splunk Cloud’s HIPAA (Health Insurance Portability and Accountability Act) or PCI (Payment Card Industry) environments.  For more on this topic, see Splunk’s compliance certifications, standards and regulations.

The specific technical and organizational measures are listed  below:

  • Pseudonymisation and encryption of personal data;
  • Ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  • The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
  • Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing;
  • User identification and authorisation;
  • Protection of data during transmission;
  • Protection of data during storage;
  • Physical security of locations at which personal data are processed;
  • Event logging;
  • System configuration, including default configuration;
  • Internal IT and IT security governance and management;
  • Certification I assurance of processes and products;
  • Allowing data portability and ensuring erasure.

At ESM Branding we do our very best to keep this page and all the Technical and Organizational Measures herein up to date. 

Third parties do amend their TOMs from time to time so for latest measures please be sure to speak with your Account Director.

Page last update Februar 2024.

Contact Us

0345 345 6060

hello@esmbranding.com

The Studios
Luckings Estate
Magpie Lane
Coleshill
Bucks
HP7 0LS

© Copyright ESM Branding Ltd 2017
This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Find out more in our Privacy Policy.

CATALOGUE REQUEST

Please request one of our catalogues or get in touch for some branded merchandise ideas today.

ESM Branding is a global distributor of promotional merchandise, corporate schemes, webshops and associated branding consultancy.

SIGN UP

    about us

    Using branded merchandise as a marketing tool is certainly a challenge. So finding that one promotional item to successfully fulfil your marketing objectives is tough.

    That’s where ESM come in.

    Some of the biggest brands in the world trust ESM to manage their branded merchandise. For example branded pens, branded sweets, branded mugs, branded USB sticks, branded clothing, branded stationery and branded notebooks.
    If you’re looking for promotional merchandise consultants you can trust, you’ve come to the right place.

    LET’S TALK
    close slider