Information Classification Scheme

Details
Written by: Paolo Tateo
Category: Security documents
Hits: 1015

Protection policy classification

The classification privacy policy of bindCommerce considers 3 levels of information data (and consequent levels of protection):

  1. Public information (level 0)
  1. Reserved information (level 1)
  1. Personally Identifiable Information (level 2)

Protection policy protection

bindCommerce protects data classified as level 0 and level 1 by applying the same security settings, as all data managed by bindCommerce is protected, even after it has been made public on eCommerce and Marketplace sites.

For data classified as level 2 (Personally Identifiable Information) additional measures are taken:

  • Encryption at rest
  • Encryption in Transit
  • Anonymization after use (when requested by data owner)

Kind of data

bindCommerce considers these kinds of data:

  • Products data
  • Orders and customers data

Products data

Products data includes these types of information:

  • Product descriptions (titles, extended descriptions, photographs, attribute values, etc ...)
  • Information relating to purchase costs and sales prices
  • Information relating to stock availability

Products information is a company asset. Accurate product descriptions offer greater competitiveness than the competition, and only the owner of this information can decide how to use it (e.g. publish it only on their eCommerce site or on marketplaces). Purchase costs, sales prices and quantities available in stock are also valuable information to be defended.

Products information is considered confidential (level 1) until the seller uses bindCommerce features to make this information public (level 0), for example by posting it on their eCommerce site or on Amazon.

Orders data

Orders data includes these types of information:

  • Shipping information: name, surname, company, address, city, postcode, region, country, telephone number, e-mail
  • Billing information: name, surname, company, VAT number, tax code, address, city, postcode, region, country, telephone number, e-mail, purchase order number
  • Order information: order number, purchase date, total amount, payment method (note: bindCommerce does not collect information on the customer's credit cards or bank details, but only the information of the payment method used), order notes (which may contain the gift message), shipping amount, shipping date, shipping method, traking number.
  • Order rows: SKU, other product identifier (ASIN, ISBN, EAN, UPC), product description, quantity, prices, VAT amount

Personally Identifiable Information (level 2) is that written below: name (shipping and billing), surname (shipping and billing), company (shipping and billing), VAT number, tax code, address, telephone number, e-mail (shipping and billing), order notes (which may contain the gift message), purchase order number

Anonymization

Personally Identifiable Information are anonymised within 30 days of the end of their use (date of shipment of orders).

 

Security Incident Response Plan

Details
Written by: Paolo Tateo
Category: Security documents
Hits: 1111

This document explains how bindCommerce has planned to handle any security incidents.

Analysis and documentation of the incident

bindCommerce manages a Security Incidents Log. This log is placed in the space Direzione, folder  “/Data Protection / Security Incidents Log” inside to the project management system Clickup.

The following information is collected for each register:

  • Date of discovery
  • Name of the person who reported the incident
  • Name of the security manager
  • Details of the incident
  • Personally Identifiable Information involved
  • Companies / Marketplace from which the data originates
  • Communications register
  • Investigation of the causes
  • Corrective actions
  • Planning preventive actions to prevent it from happening again
  • Folder for attachments (folder in the corporate document management system where be save all evidences of the incident)

Security manager

The security manager is the person who coordinates the analysis, write or approve the documentation and take decisions about the security incident.

The security manager must follow the company guidelines and propose new rules to improve the process.

Communication of the incident

In order to respect the European laws (GDPR), we must report a notifiable breach to the “Garante per la protezione dei dati personali” (Italian guarantor for the protection of personal data) without undue delay, not later than 72 hours after becoming aware of it (ref. https://www.garanteprivacy.it/web/guest/regolamentoue/databreach).

If the incident involves data from Amazon, the security manager will inform Amazon (via email to This email address is being protected from spambots. You need JavaScript enabled to view it.) within 24 hours of detecting any Security Incidents and waits until the end of the 72 hours to be able to make a communication in agreement with Amazon.

Revision of this document

The company must review and verify the plan every six (6) months and after any major infrastructure or system change.

Last update of this document: 27/03/2022

Main Menu

Login Form