Security Policy (v1.0)

1. Measures of pseudonymisation and encryption of personal data

Fluent Commerce encrypts data in-transit using TLS. Data stored at-rest is encrypted with industry standard AES-256 encryption algorithm.

2. Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services

Fluent Commerce use a variety of mechanisms and tools to achieve high availability and resilience, including:

• our infrastructure spans multiple fault-tolerant independent AWS availability zones in each geographical region, which are physically separated from one another with load automatically balanced across healthy hosts;
• real-time performance and security monitoring and alerting is in place through the use of tooling such as AWS Security Hub, AWS GuardDuty, ElasticSearch and AWS CloudWatch.
• auto-scaling applications to dynamically meet client demand and regenerate hosts on demand;
• utilising various services to monitor, scan and classify data, such as Amazon Macie. Data is secured through the use of access control lists and least privilege access principles; and
• performing regular backups of Client Data, which is hosted on AWS’s data center infrastructure. Client Data that is backed up and retained redundantly across multiple availability zones and encrypted in transit and at rest using Advanced Encryption Standard (AES-256). Real-time read replicas are in place for production databases ready to be failed over to in case of an incident.

3. Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

See Item 2.

4. Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing

Fluent Commerce conducts a variety of regular internal and client-requested audits that can be inclusive of security operations. We also implement various tools and mechanisms to achieve automated security and vulnerability scanning, audit logging and alerting. Additionally, preventative and detective guardrails are in place through the use of AWS Config (detective) and Global Service-Control Policies (preventative), coupled with least-privilege access principles.

5. Measures for user identification and authorisation

Fluent Commerce manages identity administration and system access via a centralised enterprise identity provider and a documented approval process. Personnel are granted access through roles based access controls based on job function and following least-privilege principles.  Strong password policies, lifecycling and Multi-Factor Authentication are enforced through our central enterprise identity provider with identity audits being conducted regularly.

Through the use of various preventative and detective guardrails Fluent Commerce also restricts common high risk and possibly malicious actions within our platform. Automated detection, prevention and alerting on anomalous or unauthorised activity is built into our platform and achieved through various security tools.

6. Measures for the protection of data during transmission

See Item 1. 

7. Measures for the protection of data during storage

See Item 1.

8. Measures for ensuring physical security of locations at which personal data are processed

The Fluent OMS is hosted, and data is stored, within data centres provided by Amazon Web Services (AWS). Fluent Commerce relies on the physical, environmental and infrastructure controls of AWS. Fluent Commerce periodically reviews certifications and third-party attestations provided by AWS relating to the effectiveness of its data centre controls.

9. Measures for ensuring events logging

Centralised application and infrastructure security audit logs are maintained with log file integrity checks and restricted user access to authorised personnel. Audit logs are automatically analysed to detect anomalous activity.

10. Measures for ensuring system configuration, including default configuration

Configuration is managed through source code (Git) following “everything-as-code” principles and a well-documented review/approval and release process. Automated Configuration checks exist within the platform and alert on deviation from security baselines. Guardrails exist to prevent anomalous and potential malicious activity in configuration.

11. Measures for internal IT and IT security governance and management

Fluent Commerce has implemented the following measures in connection with IT information security governance:

• key experts with a special focus on information security;
• information security committee meets regularly to define evolving IT information security practices and monitor implementations; and 
• controls relating to IT information and asset security, including IT user definitions, identification and authorisation, and asset management.

12. Measures for certification/assurance of processes and products

Fluent Commerce is working with AWS in relation to security assurance of Fluent OMS e.g. implementing the AWS well-architected framework. AWS has an extensive set of security controls and certifications relating to security used and relied on by Fluent Commerce.

Fluent Commerce has implemented security processes at key stages in the SDLC, including structured quality control processes around change management to production OMS environment.

13. Measures for ensuring data minimisation

Fluent Commerce supports the Client’s ability to minimise the personal data processed by Fluent Commerce in its capacity as data processor as follows:

In context of the Fluent OMS, Fluent Commerce provides a well-defined set of data fields available as standard for capture of personal data with specific features that enable minimisation of data depending on use case, as well as a policy on what personal data is accepted for processing by the Fluent OMS for use of custom attributes, as set out in the ‘Data’ section accessible here.

The Client is responsible for 1) determining what personal data to upload to the OMS and related systems, 2) controlling the submission of that personal data, and 3) executing all subsequent actions in connection with that personal data. Fluent Commerce will not access or alter any of that personal data except under instruction from the Client provided in writing.

14. Measures for ensuring data quality

Fluent Commerce supports the Client’s ability to ensure the quality of the personal data processed by Fluent Commerce as data processor in context of the Fluent OMS such as:

• by providing well defined APIs with strict validation in place, including to keep personal data updated; and
• through use of features in the OMS user console enabling personal data to be updated.

Refer to Fluent OMS product documentation for more details.

15. Measures for ensuring limited data retention

As standard, personal data processed by Fluent Commerce as a data processor is retained in the Fluent OMS, and ancillary systems if applicable (e.g. ticketing systems), only for the duration of the client agreement.

The Fluent OMS is inherently flexible and can be customised by the Client to cater to their specific data retention requirements, using APIs and other features.

16. Measures for ensuring accountability

Fluent Commerce has implemented the following measures in connection with privacy accountability:

• COO is responsible for overarching framework;
• business code of conduct and confidentiality terms for staff;
• privacy committee meets regularly to assess privacy requirements for business and Fluent OMS, sub-processor decisions/reviews, monitor risks, address issues, identify improvements, prepare/review related policies; and
• consultant DPO in EU.

17. Measures for allowing data portability and ensuring erasure

In context of the Fluent OMS and in its capacity as data processor, Fluent Commerce supports the Client’s ability to make copies of and port personal data, and to erase personal data as follows:

• by providing an extensive set of APIs that clients can use to enable data portability of personal data or data erasure/anonymisation. The APIs use well defined and standard data formats;
• by the inherently flexible nature of the Fluent OMS which can be customised by the Client to cater to their specific data portability or erasure requirements, using the APIs and other features in accordance with the relevant guidance provided by Fluent Commerce;
• by a data erasure support procedure designed to facilitate any Client requirements for end-to-end data erasure.

When the client agreement expires or terminates and use by the client of the Fluent OMS comes to an end, all client’s personal data in OMS will be anonymised, aggregated and/or deleted in line with the main client agreement. Limited retention of personal data may occur in some cases such as back-ups, however if/when this occurs these are secured and placed beyond use.

18. For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter

Fluent Commerce and the Sub-processor enter into an agreement in accordance with this DPA. Fluent will conduct reviews of the sub-processors’ security and organisational measures on a regular basis, including for example checking security certifications, and if instructed in writing by the Client, make use of any information sharing and audit rights it has under its agreement with sub-processors (including under any relevant SCCs entered into with the sub-processor).