Security & Compliance
Security & Compliance
Introduction
We provide products and/or services to an extensive array of users and use cases, from everyday small businesses to sophisticated government departments. All of our users receive the same care and attention when it comes to security and compliance across the board, whether they are a small business or a government department.
We strive to provide the best state of the art encryption and protection of our user and their customers’ data. As per our policies, all user customer data is the responsibility of the user and not Online Shop Inc., however we strive our best to ensure all of our users comply with data protection laws and the way they handle their customer data.
Service status
We have created an easy to use and a publicly accessible monitoring solution that aims to provide complete transparency, and real time tracking of all our products and/or services; this includes maintenance, service interruptions and disruptions. You may access this service by clicking this link or typing in https://status.onlineshop.com into your browser’s URL bar. You may also find the latest notices and updates via our social media channels.
We strive to provide the most up to date and relevant information that provides complete clarity and transparency of the operational status of our products and/or services, however sometimes there may be false positives or errors and we cannot guarantee total accuracy of the provided service.
Name registries
Online Shop Inc., has direct partnerships with ARIN; the American Registry for Internet Numbers and ICANN; the Internet Corporation for Assigned Names and Numbers.
We recommend all of our users who wish to use custom domains to view the approved list of registrars and register their domain(s) via one of the approved registrars on the list. You can view the list by clicking here.
Online Shop Inc., cannot provide domain level support such as updating contact information, dealing with registrars and other such issues. We provide guidance in setting up your custom domain name and may provide assistance where necessary to ensure you are able to use your custom domain name on your shop via our helpdesk.
Data centres
Online Shop’s physical infrastructure is hosted and managed within third party secure data centres by partner providers such as Amazon’s Web Services (AWS) and proprietary data centres based in the United Kingdom.
Our third party partners have been carefully selected to meet our extensive, rigid and set standards for security and compliance.
Our staff continually manage risk and undergo recurring assessments to ensure compliance with industry standards. All data centre operations have been accredited under:
- ISO 27001
- SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
- PCI Level 1
- FISMA Moderate
- Sarbanes-Oxley (SOX)
PCI
We use PCI compliant payment processors such as Stripe and PayPal for encrypting and processing credit card payments. Our infrastructure provider is PCI Level 1 compliant.
Physical security
Online Shop utilizes ISO 27001 and FISMA certified data centres managed by our third party partners as mentioned under “Data Centres” section, and our own security staff.
Our partners and our staff have decades of experience in designing, constructing, and operating large-scale data centres. This experience has been applied to the products and services we offer. Our data centres, operated by our third party partners and ourselves are housed in nondescript facilities, and critical facilities have extensive setback and military grade perimeter control berms as well as other natural boundary protection.
Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilising video surveillance, state of the art intrusion detection systems, and other electronic means. Authorised staff must pass two-factor authentication no fewer than three times to access data centre floors.
All visitors and contractors are required to present identification and are signed in and continually escorted by authorised staff.
Our third party partners only provide data centre access and information to employees who have a legitimate business need for such privileges. When an employee no longer has a business need for these privileges, his or her access is immediately revoked, even if they continue to be an employee of our partner(s) or ourselves. All physical and electronic access to data centres is logged and audited routinely, both of those provided by our third party partners and in our headquarters.
Fire dection and suppression
Automatic fire detection and suppression equipment has been installed to reduce risk. The fire detection system utilises smoke detection sensors in all data centre environments, mechanical and electrical infrastructure spaces, chiller rooms and generator equipment rooms. These areas are protected by either wet-pipe, double-interlocked pre-action, or gaseous sprinkler systems.
Power
The data centre electrical power systems are designed to be fully redundant and maintainable without impact to operations, 24 hours a day – seven days a week. Uninterruptible Power Supply (UPS) units provide back-up power in the event of an electrical failure for critical and essential loads in the facility. Data centres use generators to provide backup power for the entire facility.
Climate and temperature control
Climate control is required to maintain a constant operating temperature for servers and other hardware, which prevents overheating and reduces the possibility of service outages. Data centres are conditioned to maintain atmospheric conditions at optimal levels. Monitoring systems and data centre personnel ensure temperature and humidity are at the appropriate levels.
Management
Data centre staff monitor electrical, mechanical and life support systems and equipment so issues are immediately identified. Preventative maintenance is performed to maintain the continued operability of all necessary equipment.
Firewalls
Firewalls are utilised to restrict access to systems from external networks and between systems internally. By default all access is denied and only explicitly allowed ports and protocols are allowed based on business need. Each system is assigned to a firewall security group based on the system’s function. Security groups restrict access to only the ports and protocols required for a system’s specific function to mitigate risk.
Host-based firewalls restrict customer applications from establishing localhost connections over the loop-back network interface to further isolate customer applications. Host-based firewalls also provide the ability to further limit inbound and outbound connections as needed.
DDoS mitigation
Our infrastructure provides DDoS mitigation techniques including TCP Syn cookies and connection rate limiting in addition to maintaining multiple backbone connections and internal bandwidth capacity that exceeds the Internet carrier supplied bandwidth. We use various shielding technologies to protect and secure every part of our network, which enables us and our partners to quickly respond to events and enable advanced DDoS mitigation controls when needed and necessary.
Spoofing and sniffing protections
Managed firewalls prevent IP, MAC, and ARP spoofing on the network and between virtual hosts to ensure spoofing is not possible. Packet sniffing is prevented by infrastructure including the hypervisor which will not deliver traffic to an interface which it is not addressed to. Online Shop utilises application isolation, operating system restrictions, and encrypted connections to further ensure risk is mitigated at all levels.
Port scanning
Port scanning is prohibited and every reported instance is investigated by our infrastructure partners. When port scans are detected, they are stopped and access is blocked.
