Shopify Technical measures:
Shopify encrypts credit card information in transit and at rest, and is PCI compliant.
– Shopify maintains a SOC 2 Type II and SOC 3 report2 (attached)
– Shopify conducts regular third-party penetration testing and vulnerability assessments.
– Shopify participates in a bug-bounty program to receive security reports.
– Employee access to Shopify infrastructure is controlled by a Single Sign-On account with two-factor authentication required (2FA).
– Shopify maintains employee internal access policies based on “least privilege”
– Shopify provides merchants with the technical capability to honor all data subject requests.
– All merchant personal data is redacted after account termination, unless we are legally required to retain information for a specified period of time.
Shopify Organizational measures:
Shopify publicly commits to object to any voluntary disclosure of data it holds, unless it is legally bound to produce information. When possible, Shopify commits to informing merchants of third party requests to access their data.
– Shopify publishes an annual Transparency Report detailing when Shopify is legally required to produce information.
– All Shopify employees receive privacy and security training.
– Shopify incident response teams are on-call 24 hours a day.
– All Shopify employees and contractors agree to confidentiality clauses in their employment contracts, and agree to abide by Shopify’s internal data protection policies.
– Shopify maintains an internal Privacy Working Group which raises and resolves privacy issues across the organization. If needed, issues are escalated to a Privacy Committee and the Board of Directors.
– Shopify does not knowingly disclose (or permit access to) the personal data it processes in a massive, disproportionate and indiscriminate manner to (or by) any governmental authority.
At AWS, our highest priority is securing our customers’ data, and we implement rigorous contractual, technical and organizational measures to protect its confidentiality, integrity, and availability regardless of which AWS Region a customer has selected.
AWS complies with ISO 27018, a code of practice that focuses on protection of personal data in the cloud. It extends ISO information security standard 27001 to cover the regulatory requirements for the protection of personally identifiable information (PII) or personal data for the public cloud computing environment and specifies implementation guidance based on ISO 27002 controls that is applicable to PII processed by public cloud service providers. For more information, or to view the AWS ISO 27018 Certification, see the AWS ISO 27018 Compliance webpage.
Additionally, AWS publishes a SOC 2 Type I Privacy report, based on the SOC 2 Privacy Trust Principle, developed by the American Institute of CPAs (AICPA), which establishes criteria for evaluating controls related to how personal data is collected, used, retained, disclosed, and disposed to meet the entity’s objectives. The AWS SOC 2 Privacy Type I report provides third-party attestation of our systems and the suitability of the design of our privacy controls, as stated in our Privacy Notice. The scope of the privacy report includes information about how we handle the content that you upload to AWS and how it is protected in all of the services and locations that are in scope for the latest
AWS SOC reports. The SOC 2 Type I Privacy report can be downloaded through AWS Artifact in the AWS Management Console.
Many requirements under the GDPR focus on ensuring effective control and protection of personal data. AWS services give you the capability to implement your own security measures in the ways you need in order to enable your compliance with the GDPR, including specific measures such as:
More information on Amazon AWS data policy here – https://aws.amazon.com/compliance/gdpr-center/
You may also wish to read the Amazon Data Protection Agreement – https://aws.amazon.com/legal/online-data-processing-agreement/
SmartBear has implemented and will maintain commercially reasonable technical and organizational measures to protect Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access. Having regard to the state of the art and the cost of their implementation, SmartBear agrees that such measures shall ensure a level of security appropriate to the risks represented by the Processing and the nature of Personal Data to be protected. SmartBear may update the technical and organizational measures from time to time in light of technical development.
Technical and Organizational Measures:
SmartBear implements and maintains industry standard technical and organizational measures to protect the security of Personal Data that it processes in connection with its Services. Such measures include, as appropriate to the nature of the Personal Data procesed, but are not limited, to:
More information on SmartBear data processing here – https://smartbear.com/legal/data-processing-addendum/
You may also wish to read their Standard Contractual Clauses – https://docs.bugsnag.com/assets/pdf/bugsnag_inc_standard_contractual_clauses.pdf
With respect to all Personal Data it processes in its role as a Processor or sub-Processor, Cloudflare warrants that it shall:
Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks that are presented by the processing of Personal Data, in particular protection against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data. Such measures include, without limitation, the security measures set out in Annex 2 (“Security Measures”). Customer acknowledges that the Security Measures are subject to technical progress and development and that Cloudflare may update or modify the Security Measures from time to time, provided that such updates and modifications do not degrade or diminish the overall security of the Service;
Cloudflare has implemented and shall maintain an information security program in accordance with ISO/IEC 27000 standards. Cloudflare’s security program shall include:
Measures of encryption of Personal Data
Cloudflare implements encryption to adequately protect Personal Data using:
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services
Cloudflare enhances the security of processing systems and services in production environments by:
Cloudflare deploys high-availability systems across geographically-distributed data centers.
Cloudflare implements input control measures to protect and maintain the confidentiality of Personal Data including:
Measures for ensuring the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident
Cloudflare implements measures to ensure that Personal Data is protected from accidental destruction or loss, including by maintaining:
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing
Cloudflare’s technical and organisational measures are regularly tested and evaluated by external third-party auditors as part of Cloudflare’s Security & Privacy Compliance Program. These may include annual ISO/IEC 27001 audits; AICPA SOC 2 Type II; PCI DSS Level 1; and other external audits. Measures are also regularly tested by internal audits, as well as annual and targeted risk assessments.
Measures for user identification and authorisation
Cloudflare implements effective measures for user authentication and privilege management by:
Measures for the protection of data during transmission
Cloudflare implements effective measures to protect Personal Data from being read, copied, altered or deleted by unauthorized parties during transmission, including by:
Measures for the protection of data during storage
Cloudflare implements effective measures to protect Personal Data during storage, controlling and limiting access to data processing systems, and by:
Cloudflare implements access controls to specific areas of data processing systems to ensure only authorized users are able to access the Personal Data within the scope and to the extent covered by their respective access permission (authorization) and that Personal Data cannot be read, copied or modified or removed without authorization. This shall be accomplished by various measures including:
Measures for ensuring physical security of locations at which Personal Data are processed
Cloudflare maintains and implements effective physical access control policies and measures in order to prevent unauthorized persons from gaining access to the data processing equipment (namely database and application servers, and related hardware) where the Personal Data are processed or used, including by:
Measures for ensuring events logging
Cloudflare has implemented a logging and monitoring program to log, monitor and track access to personal data, including by system administrators and to ensure data is processed in accordance with instructions received. This is accomplished by various measures, including:
Measures for ensuring system configuration, including default configuration
Cloudflare maintains configuration baselines for all systems supporting the production data processing environment, including third-party systems. Configuration baselines should align with industry best practices such as the Center for Internet Security (CIS) Level 1 benchmarks. Automated mechanisms must be used to enforce baseline configurations on production systems, and to prevent unauthorized changes. Changes to baselines are limited to a small number of authorized Cloudflare personnel, and must follow change control processes. Changes must be auditable, and checked regularly to detect deviations from baseline configurations.
Cloudflare configures baselines for the information system using the principle of least privilege. By default, access configurations are set to “deny-all,” and default passwords must be changed to meet Cloudflare’s policies prior to device installation on the Cloudflare network, or immediately after software or operating system installation. Systems are configured to synchronize system time clocks based on International Atomic Time or Coordinated Universal Time (UTC), and access to modify time data is restricted to authorized personnel.
Measures for internal IT and IT security governance and management
Cloudflare maintains internal policies on the acceptable use of IT systems and general information security. Cloudflare requires all employees to undertake general security and privacy awareness training at least every year. Cloudflare restricts and protects the processing of Personal Data, and has documented and implemented:
Cloudflare will keep documentation of technical and organizational measures in case of audits and for the conservation of evidence. Cloudflare shall take reasonable steps to ensure that persons employed by it, and other persons at the place of work concerned, are aware of and comply with the technical and organizational measures set forth in this Annex 2.
Measures for certification/assurance of processes and products
The implementation of Cloudflare’s ISMS and related security risk management processes have been externally certified to the industry-standard ISO/IEC 27001. The implementation of Cloudflare’s comprehensive PIMS has been externally certified to the industry-standard ISO/IEC 27701, as both a processor and controller of customer information.
Cloudflare maintains PCI DSS Level 1 compliance for which Cloudflare is audited annually by a third-party Qualified Security Assessor. Cloudflare has undertaken other certifications such as the AICPA SOC 2 Type II certification in accordance with the AICPA Trust Service Criteria, and details of these and other certifications that Cloudflare may undertake from time to time will be made available on Cloudflare’s website.
Fastly services by default do not process personal data other than IP addresses to route requests and deliver content.
Fastly will maintain administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Personal Data as described in the Security Measures applicable to the specific Services purchased by data exporter, as updated from time to time, and accessible via https://docs.fastly.com/guides/security-measures/ or otherwise made reasonably available by Fastly.
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing
Fastly’s Security Measures are regularly tested and evaluated by third-party auditors, including as part of annual AICPA SOC 2 Type 2 and PCI DSS Level 1 audits. Fastly also conducts internal audits and risk assessments.
More information on Fastly data processing here – https://www.fastly.com/data-processing
Where Google acts as a data processor, Google commits to implementing and maintaining technical and organisational measures providing an appropriate level of security, as specified in Appendix 2 of the Google Ads Data Processing Terms, and to ensuring appropriate security compliance by its staff. The measures specified in the Google Ads Data Processing Terms include measures to encrypt personal data; to help ensure ongoing confidentiality, integrity, availability and resilience of Google’s systems and services; to help restore timely access to personal data following an incident; and for regular testing of effectiveness. Google further commits to notifying customers of any data incidents without undue delay and to promptly take steps to secure any affected data. Where Google acts as a data controller, Google contractually commits in the Google Ads Controller-Controller Data Protection Terms to comply with its GDPR obligations, which include its security obligations in Article 32 of the GDPR. In addition, when it acts as data importer, Google commits in the SCCs to implementing and maintaining technical and organisational security measures that are appropriate to the risks presented by the processing.
Google has a robust set of policies and technical and organisational controls in place to ensure the separation between pseudonymous online identifiers and personally identifiable user data (i.e. information that could be used on its own to directly identify, contact, or precisely locate an individual), such as a user’s Google account data. Technical protection measures for keeping pseudonymous online identifiers separate from identifiable user data include the encryption of identifiers with rotating keys.
More information on Google Maps data processing here – https://cloud.google.com/terms/data-processing-terms
and their safeguards for international data transfers here – https://services.google.com/fh/files/misc/safeguards_for_international_data_transfers.pdf
Mode will implement and maintain the Security Measures set out in this Schedule 2. Mode reserves the right to revise the security measures set out in this Schedule 2 at any time, without notice, so long as such revisions do not materially reduce the protection provided for Personal Data that Mode processes in the course of providing the Mode Services.
1) Organizational management and staff responsible for the development, implementation and maintenance of Mode’s information security controls. Executive leadership is involved in reviewing and approving all security policies.
2) Audit and risk assessment procedures for the purposes of periodic review and assessment of security risks to Mode’s organization, monitoring compliance with Mode’s policies and procedures, and reporting the condition of its information security and compliance to internal senior management.
3) Data security controls that include logical segregation of data, restricted (e.g. role-based) access and monitoring, and utilization of commercially available and industry standard encryption technologies for Personal Data.
a) Encryption in Transit: Customer content is encrypted in transit using Transport Layer Security. TLS is active on all accounts by default and cannot be disabled by end users.
b) Encryption at Rest: Confidential customer data is encrypted at rest with Advance Encryption Standard (AES). Backups are encrypted at rest.
4) Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions. Access accounts are provisioned for engineers on their hire date and deprovisioned on their closing date by a member of the senior engineering staff.
5) User IDs and password configuration requirements have been established that are designed to prevent unauthorized access to production systems. Mode has defined the following password requirements: (i) password length must have a minimum of 10 characters; (ii) password must contain both upper and lowercase characters; (iii) password must contain a number (0-9) and/or a special character; (iv) password must be different from user’s previous 10 passwords; and (v) password must be changed annually.
6) With respect to physical and environmental security, Mode’s production resources are hosted in Amazon Web Services. Physical and environmental security is handled entirely by Amazon and their vendors. Amazon has provided a list of compliance and regulatory security assurances, including representations of SOC 1-3, and ISO27001 compliance.
7) Operational procedures and controls to provide for application deployment and change management, capacity management, and separation of development, testing and production.
8) Incidents are handled in accordance with Mode’s Incident Response Plan following the lifecycle of an incident: Discovery, Acknowledgement, Verification, Scope, Resolution and finally Response. The Privacy Officer(s) and Director of Engineering are responsible for managing the response process in accordance with the IRP, completing an after-action review and coordinating any outbound communication that may be necessary following an incident.
9) Network security controls designed and implemented so that internet connections are required to use transport encryption. Default deny has been established for each application/service group/layer. Service to service connections must be explicitly allowed.
10) Vulnerability assessment and threat protection technologies and scheduled monitoring procedures designed to identify, assess, mitigate and protect against identified security threats, viruses and other malicious code.
11) Business resiliency/continuity and disaster recovery procedures designed to maintain service and/or recovery from foreseeable emergency situations or disasters.
More information on Mode data processing here – https://mode.com/help/legal/eu-scc/
Splunk employs technical and organizational measures to protect customer data and has certified its Splunk Cloud service to industry leading security standards, such as SOC2 Type II and ISO 27001. Splunk also offers heightened security standards for those customers who require Splunk Cloud’s HIPAA (Health Insurance Portability and Accountability Act) or PCI (Payment Card Industry) environments. For more on this topic, see Splunk’s compliance certifications, standards and regulations.
The specific technical and organizational measures are listed below:
At ESM Branding we do our very best to keep this page and all the Technical and Organizational Measures herein up to date.
Third parties do amend their TOMs from time to time so for latest measures please be sure to speak with your Account Director.
0345 345 6060
© Copyright ESM Branding Ltd 2017
Please request one of our catalogues or get in touch for some branded merchandise ideas today.
ESM Branding is a global distributor of promotional merchandise, corporate schemes, webshops and associated branding consultancy.
Using branded merchandise as a marketing tool is certainly a challenge. So finding that one promotional item to successfully fulfil your marketing objectives is tough.
That’s where ESM come in.
Some of the biggest brands in the world trust ESM to manage their branded merchandise. For example branded pens, branded sweets, branded mugs, branded USB sticks, branded clothing, branded stationery and branded notebooks.
If you’re looking for promotional merchandise consultants you can trust, you’ve come to the right place.