Security

Security policy

Our organization maintains a published and actively enforced Information Security Policy as part of our commitment to safeguarding customer and platform data. This policy covers all aspects of our Order Management System, Multi-Channel Order Management, and Warehouse Management System (WMS) web application.

Key components of the program include:

• Role-based access controls to restrict data visibility to authorized personnel only
• Data encryption in transit (TLS 1.2+) and at rest
• Regular vulnerability assessments and patch management
• Audit logging and monitoring of all access and processing activities
• Employee training and awareness programs focused on data handling and security practices
• Incident response procedures to ensure timely action in the event of a data breach or system compromise

The policy is reviewed and updated annually or as needed to reflect changes in technology, compliance requirements, and business operations.

Network segregation and implement protection measurements

Our organization enforces strict network segregation and implements multiple layers of network security measures to monitor, detect, and prevent threats across our Order Management and Warehouse Management platforms.

Key measures include:

• Segmented network architecture, separating public-facing services, internal systems, and sensitive data environments
• Firewall and intrusion detection/prevention systems (IDS/IPS) to monitor and filter incoming/outgoing traffic
• Endpoint protection and anti-malware solutions across all connected devices
• Real-time security monitoring and alerting through a centralized logging and SIEM (Security Information and Event Management) system
• Access control lists (ACLs) and VPN enforcement for secure remote access
• Regular penetration testing and vulnerability scanning to identify and mitigate potential risks

These practices are part of our broader information security program designed to ensure confidentiality, integrity, and availability of systems and data.

Our organization installs and maintains enterprise-grade anti-virus and endpoint protection software on all company-managed endpoints, including workstations, laptops, and devices used by operations and warehouse staff.

Key practices include:

• Real-time threat detection and prevention
• Automatic definition updates to ensure protection against the latest malware and ransomware
• Centralized monitoring and management of all endpoints by the IT security team
• Policy enforcement to prevent tampering or disabling of security software
• Regular scans and incident logging for audit and response purposes

This is part of our broader endpoint security strategy to protect systems used in order processing, label generation, inventory management, and administrative operations.

Security Baseline for daily operations

Our organization enforces a comprehensive security baseline to ensure the protection of systems, data, and daily operations. This baseline applies across all departments, including order processing, warehouse operations, and administrative functions. Key elements include:

• Automatic screen locking on all workstations and mobile devices after a period of inactivity
• Password complexity requirements, including minimum length, character variety, and periodic expiration
• Multi-factor authentication (MFA) enforced for access to all critical systems and web applications
• Clear-desk policy in shared workspaces and warehouse areas to reduce the risk of unauthorized access to sensitive information
• Role-based access controls (RBAC) to restrict system and data access based on job responsibilities
• Regular security awareness training for all staff, including best practices for data protection and phishing prevention

These controls form the foundation of our operational security and are regularly reviewed for effectiveness and compliance.

Access control policy

Our organization maintains a published Access Control Policy that governs how access to systems and data—especially personal data—is granted, monitored, and managed. The policy is strictly aligned with the principle of least privilege, ensuring that users only have access to the minimum data and system functions necessary for their role.

Key controls include:

• Role-based access controls (RBAC) applied across all systems, including OMS, WMS, and multi-channel integrations
• Access provisioning and de-provisioning procedures tied to HR processes (e.g., onboarding, role changes, offboarding)
• Regular access reviews to validate user permissions and detect unnecessary or outdated access rights
• Logging and monitoring of access to sensitive personal data for audit and compliance purposes
• Restricted administrative privileges and separation of duties to reduce risk

This access control framework helps ensure data privacy, security, and compliance with relevant regulations.

Data classification policy

Our organization has a published Data Classification Policy that defines how data is categorized based on sensitivity and criticality (e.g., public, internal, confidential, restricted). This policy guides the handling, storage, and transmission of data across all systems, including order and warehouse management platforms.

In line with this policy, we implement strong encryption measures for sensitive data:

• Data in-transit is encrypted using TLS 1.2 or higher to secure communications between clients, servers, and third-party integrations.
• Data at-rest is encrypted using AES-256 or equivalent encryption standards in our databases and storage systems.
• Access to encrypted data is tightly controlled and monitored through role-based permissions and key management best practices.

These measures ensure the confidentiality and integrity of customer data, order details, and personally identifiable information (PII) throughout its lifecycle.

Incident response policy

Our organization maintains a published Incident Response Policy that outlines clear procedures, roles, and communication channels for identifying, managing, and resolving security incidents.

Key elements of the policy include:

• Defined incident categories and severity levels to guide appropriate response actions
• Designated incident response team (IRT) with assigned roles and responsibilities, including IT, operations, compliance, and management personnel
• Formalized incident reporting channels, enabling staff to report suspicious activity or breaches through secure and documented processes
• Escalation and notification procedures, including timelines for internal and external communication
• Post-incident review process to analyze root causes, assess impact, and implement corrective actions
• Regular testing and updates to ensure the policy remains effective and aligns with evolving threats and regulatory requirements

This policy is critical to ensuring a coordinated, timely, and compliant response to any security incident affecting our systems and data.

Threat management

Our organization has a formal Vulnerability and Threat Management Procedure in place to proactively identify, assess, and mitigate security risks across all systems, including our OMS, WMS, and supporting infrastructure.

Key components of the procedure include:

• Regular vulnerability scanning of all networked systems, applications, and cloud infrastructure
• Patch management policies to ensure timely remediation of known vulnerabilities based on severity and vendor recommendations
• Threat intelligence monitoring to stay informed about emerging risks and zero-day exploits
• Risk assessment and prioritization framework to address vulnerabilities based on impact and likelihood
• Penetration testing conducted periodically by internal teams and/or third-party security firms
• Centralized tracking and remediation using ticketing systems and change management protocols
• Documentation and reporting of all findings and remediation actions for audit and compliance purposes

This proactive approach helps ensure the continued security, availability, and resilience of our operational platforms.

Internal personal data protection policy

Our organization has an internal Personal Data Protection Policy that governs the collection, processing, storage, and sharing of personal data within our systems. This policy is designed to ensure compliance with applicable data protection regulations, such as GDPR, CCPA, and other relevant privacy laws.

Key aspects of the policy include:

• Clear data handling guidelines for personal data throughout its lifecycle, including data minimization and purpose limitation principles
• Access control mechanisms to restrict access to personal data based on the principle of least privilege
• Regular data audits to ensure data accuracy, security, and compliance
• Incident response procedures for breaches involving personal data, including reporting timelines and notification protocols
• Employee training and awareness programs to ensure proper handling of personal data by all staff involved in order management, warehousing, and support functions

The policy is regularly reviewed and updated to reflect changes in regulations, industry best practices, and technological advancements. Updates are made annually or in response to significant changes in data protection laws.