Introduction
This Information Security Policy outlines the principles and procedures that Optizio follows to protect its information assets and customer data, ensuring compliance with UK legal requirements, Shopify’s standards, and industry best practices.
Scope
This policy applies to all Optizio employees, contractors, and third parties who access company systems, data, or networks.
1. Purpose
- Protect the confidentiality, integrity, and availability of Optizio’s data and systems.
- Comply with legal and regulatory requirements, including GDPR and the Data Protection Act 2018.
- Maintain the trust of customers and Shopify merchants by safeguarding their data.
2. Roles and Responsibilities
- Management: Enforces the policy, allocates resources, and conducts regular reviews.
- Employees: Must understand and follow this policy, attend security training, and report security incidents.
- IT/Admin: Manages access controls, monitors systems, and responds to incidents.
- Third Parties: Required to comply with Optizio’s security requirements when handling company or customer data.
- Confidentiality: Prevent unauthorized access to sensitive information.
- Integrity: Ensure data is accurate and protected from unauthorized modification.
- Availability: Ensure systems and data are accessible to authorized users when needed.
4. Access Control
- Access to systems and data is granted based on job roles and the principle of least privilege.
- Use strong, unique passwords and a password manager.
- Multi-factor authentication (MFA) is required for all critical systems and admin access.
- Access rights are reviewed quarterly and revoked immediately upon employee departure.
5. Data Protection and Privacy
- Handle all personal data in accordance with GDPR and the Data Protection Act 2018.
- Only collect and store data necessary for app functionality and support.
- Encrypt sensitive data both at rest and in transit using industry-standard encryption (e.g., AES-256).
- Respond promptly to data deletion requests and privacy inquiries as required by Shopify and GDPR.
6. Password Policy
Optizio maintains a separate Password Policy document, which is based on the OWASP ASVS 4.0 Section V2.1 Password Security Requirements and is implemented to the fullest extent possible within the capabilities of third-party services.
7. Secure Development Practices
- Follow Shopify’s secure app development guidelines.
- Use source control and environment variables.
- Validate and sanitize user input.
- Regularly review and update dependencies.
- Never store or process credit card information; this is handled by Shopify.
- Conduct code reviews and security testing before releasing updates.
8. Software and System Maintenance
- Keep all software, frameworks, and systems up to date with the latest security patches.
- Use reputable antivirus and firewall solutions.
- Regularly back up critical data and store backups securely.
9. Incident Management
- All employees must report suspected security incidents immediately to management.
- The IT/Admin team investigates, contains, and resolves incidents, documenting actions taken.
- Serious incidents are reported to affected parties and regulatory authorities as required by law.
10. Training and Awareness
- All staff receive regular training on information security, data protection, and incident reporting.
- Security awareness is reinforced through periodic updates and simulated phishing exercises.
11. Compliance and Audit
- Regular internal audits are conducted to ensure compliance with this policy and legal requirements.
- Non-compliance may result in disciplinary action, up to and including termination.
12. Policy Review
- This policy is reviewed annually or following significant changes to business operations, legal requirements, or the threat landscape.
Contact
For questions or to report a security incident, contact:
support@optiz.io