Information Security Policy

1. Company Information

Company Name: FLUF.io

Service: FLUF Connect (Multi-marketplace crosslisting and inventory management platform)

Website: https://fluf.io

Contact Email: [email protected]

Data Protection Officer: [email protected]

2. Data Collection and Processing

2.1 Types of Data We Collect

• Account Information: Username, email address, encrypted passwords, store names
• Marketplace Credentials: API tokens and authentication credentials for connected marketplaces (Shopify, Depop, eBay, Etsy)
• Product Data: Product listings, images, descriptions, prices, inventory levels, SKUs
• Order Information: Order details, buyer information, transaction data, shipping information
• Usage Analytics: Platform usage statistics, crosslisting activity, sync logs
• Technical Data: IP addresses, browser information, device identifiers, session data

2.2 Data Processing Purposes

• Multi-marketplace product crosslisting and inventory synchronisation
• Order management and fulfilment coordination
• Automated offer management and price optimisation
• Platform analytics and performance monitoring
• Customer support and technical assistance
• Service improvement and feature development

3. Technical Security Measures

3.1 Data Encryption

• Data in Transit: All data transmissions use TLS 1.3 encryption
• Data at Rest: Database encryption using AES-256 encryption
• API Credentials: All marketplace API tokens are encrypted using OpenSSL with AES-128-CTR
• Password Security: User passwords are hashed using WordPress's secure hashing functions

3.2 Infrastructure Security

• Hosting: Hetzner dedicated server with enterprise-grade security
• Database: MySQL with regular security updates and access controls
• Caching: Redis object caching with secure authentication
• CDN: Cloudflare for DDoS protection and secure content delivery
• SSL Certificates: Extended validation SSL certificates for all domains

3.3 Access Controls

• Authentication: Multi-factor authentication for administrative access
• Authorisation: Role-based access control (RBAC) for different user levels
• API Security: Rate limiting and authentication for all API endpoints
• Session Management: Secure session handling with automatic expiration

4. Marketplace Integration Security

4.1 API Security

• OAuth 2.0: Secure authentication with Shopify, eBay, and Etsy
• API Rate Limiting: Compliance with marketplace rate limits to prevent service disruption
• Token Management: Secure storage and automatic refresh of API tokens
• Webhook Security: Verification of webhook signatures for authentic data

4.2 Data Synchronisation

• Real-time Sync: Secure inventory and order synchronisation across platforms
• Error Handling: Comprehensive error logging and recovery mechanisms
• Data Validation: Input validation and sanitisation for all marketplace data
• Audit Trails: Complete logging of all synchronisation activities

5. Data Retention and Deletion

5.1 Retention Periods

• Account Data: Retained for the duration of active service plus 2 years
• Product Data: Retained while products are active plus 1 year for analytics
• Order Data: Retained for 7 years for accounting and legal compliance
• Sync Logs: Retained for 12 months for troubleshooting and analytics
• Technical Logs: Retained for 90 days for security monitoring

5.2 Data Deletion

• Account Deletion: Complete data removal within 30 days of account closure
• Right to be Forgotten: Data deletion upon user request within 30 days
• Automated Cleanup: Regular automated deletion of expired data
• Secure Deletion: Multi-pass overwriting for sensitive data removal

6. Privacy and Compliance

6.1 Regulatory Compliance

• GDPR: Full compliance with EU General Data Protection Regulation
• CCPA: California Consumer Privacy Act compliance
• UK GDPR: UK data protection law compliance
• PCI DSS: Payment Card Industry Data Security Standard compliance

6.2 Data Subject Rights

• Right to Access: Users can request copies of their personal data
• Right to Rectification: Users can correct inaccurate personal data
• Right to Erasure: Users can request deletion of their personal data
• Right to Portability: Users can export their data in standard formats
• Right to Object: Users can opt-out of certain data processing activities

6.3 Third-Party Integrations

• Marketplace APIs: Data sharing limited to necessary crosslisting functions
• Payment Processors: Secure integration with Stripe for subscription management
• Analytics Services: Anonymised data sharing for platform improvement
• Support Tools: Minimal data sharing for customer support purposes

7. Incident Response and Monitoring

7.1 Security Monitoring

• 24/7 Monitoring: Continuous monitoring of system security and performance
• Intrusion Detection: Automated detection of suspicious activities
• Log Analysis: Regular analysis of security logs and access patterns
• Vulnerability Scanning: Regular security assessments and penetration testing

7.2 Incident Response

• Response Team: Dedicated security incident response team
• Response Time: Initial response within 4 hours of detection
• User Notification: Affected users notified within 72 hours
• Regulatory Reporting: Compliance with data breach notification requirements

7.3 Business Continuity

• Backup Systems: Daily encrypted backups with 30-day retention
• Disaster Recovery: Comprehensive disaster recovery plan with RTO < 4 hours
• Failover Systems: Automatic failover for critical services
• Data Recovery: Point-in-time recovery capabilities

8. Employee Security and Training

8.1 Access Management

• Principle of Least Privilege: Employees have minimum necessary access
• Regular Access Reviews: Quarterly review of employee access permissions
• Secure Development: Security-focused development practices and code reviews
• Background Checks: Security clearance for employees with data access

8.2 Training and Awareness

• Security Training: Regular security awareness training for all staff
• Privacy Training: Specific training on data protection and privacy laws
• Incident Response Training: Regular drills and response training
• Secure Coding: Security-focused development training and best practices

9. System Updates and Maintenance

9.1 Security Updates

• Regular Updates: Monthly security patches and system updates
• Critical Patches: Emergency patches applied within 48 hours
• Dependency Management: Regular updates of third-party libraries and dependencies
• Security Testing: Comprehensive testing before deployment

9.2 Maintenance Windows

• Scheduled Maintenance: Monthly maintenance windows during off-peak hours
• User Notification: 48-hour advance notice for planned maintenance
• Rollback Procedures: Immediate rollback capability for failed updates
• Performance Monitoring: Continuous monitoring during and after updates

10. Security Compliance Framework

10.1 Network Security and Segregation

Network Segregation: Yes, our organisation enforces network segregation through Hetzner dedicated server infrastructure. Our hosting environment implements:

• Isolated Application Containers: Each application runs in isolated containers with restricted network access
• Firewall Protection: Advanced firewall rules prevent unauthorised network access
• DDoS Protection: Cloudflare integration provides comprehensive DDoS protection and threat monitoring
• Network Monitoring: 24/7 network monitoring with real-time threat detection and prevention
• VPN Access: Secure VPN access for administrative functions

10.2 Endpoint Security

Anti-virus Protection: Yes, our organisation implements comprehensive endpoint security:

• Enterprise Anti-virus: All company endpoints have enterprise-grade anti-virus software installed and regularly updated
• Real-time Scanning: Continuous real-time threat detection and removal
• Centralised Management: Centrally managed security policies across all endpoints
• Regular Updates: Automatic virus definition updates and security patches
• Quarantine Procedures: Automatic isolation and remediation of detected threats

10.3 Security Baseline for Daily Operations

Security Baseline Implementation: Yes, our organisation implements a comprehensive security baseline including:

• Screen Locking: Automatic screen locks after 10 minutes of inactivity on all devices
• Password Complexity: Enforced password complexity requirements (minimum 12 characters, mixed case, numbers, special characters)
• Multi-Factor Authentication: MFA required for all administrative access and sensitive systems
• Clear Desk Policy: Implemented clear desk policy with secure storage of sensitive documents
• Device Encryption: Full disk encryption on all company devices
• Secure Boot: Secure boot enabled on all company hardware
• USB Restrictions: Controlled USB device access and data loss prevention

10.4 Access Control Policy

Published Access Control Policy: Yes, our organisation maintains a published access control policy based on the principle of least privilege:

• Role-Based Access Control (RBAC): Granular permissions based on job functions and responsibilities
• Principle of Least Privilege: Users granted minimum access necessary for their role
• Regular Access Reviews: Quarterly reviews of user permissions and access rights
• Automated Provisioning: Automated user provisioning and de-provisioning processes
• Segregation of Duties: Critical functions require multiple authorisations
• Personal Data Access: Strict controls on personal data access with audit logging

10.5 Data Classification and Encryption Policy

Published Data Classification Policy: Yes, our organisation maintains comprehensive data classification and encryption policies:

• Data Classification Levels: Public, Internal, Confidential, and Restricted classifications
• Encryption in Transit: TLS 1.3 encryption for all data transmissions
• Encryption at Rest: AES-256 encryption for all stored sensitive data
• Key Management: Secure cryptographic key management and rotation
• Data Handling Procedures: Specific procedures for each classification level
• Regular Policy Updates: Annual review and update of classification policies

10.6 Incident Response Policy

Published Incident Response Policy: Yes, our organisation maintains a comprehensive incident response policy with:

• Clear Roles and Responsibilities: Defined incident response team with specific roles
• Incident Classification: Structured incident severity and classification system
• Response Procedures: Step-by-step response procedures for different incident types
• Communication Channels: Established internal and external communication protocols
• Escalation Procedures: Clear escalation paths based on incident severity
• Post-Incident Review: Mandatory post-incident analysis and improvement processes
• Regulatory Compliance: Procedures ensure compliance with breach notification requirements

10.7 Vulnerability and Threat Management

Vulnerability Management Procedure: Yes, our organisation has established vulnerability and threat management procedures:

• Regular Vulnerability Scanning: Automated weekly vulnerability scans of all systems
• Penetration Testing: Annual third-party penetration testing and security assessments
• Threat Intelligence: Integration with threat intelligence feeds for proactive threat detection
• Patch Management: Systematic patch management with risk-based prioritisation
• Security Monitoring: 24/7 security monitoring with SIEM integration
• Risk Assessment: Regular risk assessments and security posture evaluations

10.8 Internal Personal Data Protection Policy

Internal Data Protection Policy: Yes, our organisation maintains an internal personal data protection policy that is regularly updated:

• GDPR Compliance: Full compliance with EU General Data Protection Regulation
• Regular Updates: Policy reviewed and updated quarterly or when regulations change
• Staff Training: Mandatory annual data protection training for all employees
• Data Processing Records: Comprehensive records of all personal data processing activities
• Privacy by Design: Privacy considerations integrated into all system design and development
• Data Subject Rights: Procedures for handling all data subject rights requests
• Cross-Border Transfers: Specific procedures for international data transfers