Fluent Commerce Logo
Docs
Help & Feedback
Sign In

Security Policy

Essential knowledge

Author:

Fluent Commerce staff

Changed on:

20 June 2024

Overview

Description of the technical and organisational measures implemented by the Fluent Commerce (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

Key points

  • Data Encryption: Both in-transit and at-rest data are secured using advanced encryption methods, including TLS 1.2+ for data in transit and AES-256 for data at rest.
  • System Resilience: Infrastructure across multiple AWS zones with auto-scaling and real-time monitoring ensures high availability and resilience.
  • Access Control: Access to data is strictly controlled through least privilege access principles, strong password policies, and Multi-Factor Authentication.
  • Incident Response: Fluent Commerce has measures in place for rapid data restoration and system recovery in the event of a physical or technical incident.
  • Measures of pseudonymisation and encryption of personal data
    Fluent Commerce encrypts data in-transit using TLS version 1.2 or greater. Data stored at-rest is encrypted with industry standard AES-256 encryption algorithm.
  • Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services
    Fluent Commerce use a variety of mechanisms and tools to achieve high availability and resilience, including:
    • our infrastructure spans multiple fault-tolerant AWS availability zones in each geographical region, which are physically separated from one another with load automatically balanced across healthy hosts;
    • real-time performance and security monitoring and alerting is in place through the use of tooling such as AWS Security Hub, AWS GuardDuty, ElasticSearch and AWS CloudWatch.
    • auto-scaling applications to dynamically meet client demand and regenerate hosts on demand;
    • utilising various services to monitor, scan and classify data, such as Amazon Macie. Data is secured through the use of access control lists and least privilege access principles; and
    • performing regular backups of Client Data, which is hosted on AWS’s data center infrastructure. Client Data that is backed up and retained redundantly across multiple availability zones and encrypted in transit and at rest using Advanced Encryption Standard (AES-256). Real-time read replicas are in place for production databases ready to be failed over to in case of an incident.
  • Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
    See Item 2.
  • Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing
    Fluent Commerce conducts a variety of regular internal and client-requested audits that can be inclusive of security operations. We also implement various tools and mechanisms to achieve automated security and vulnerability scanning, audit logging and alerting. Additionally, preventative and detective guardrails are in place through the use of AWS Config (detective) and Global Service-Control Policies (preventative), coupled with least-privilege access principles.
  • Measures for user identification and authorisation
    Fluent Commerce manages identity administration and system access via a centralised enterprise identity provider and a documented approval process. Personnel are granted access through roles based access controls based on job function and following least-privilege principles. Strong password policies, lifecycling and Multi-Factor Authentication are enforced through our central enterprise identity provider with identity audits being conducted regularly. Through the use of various preventative and detective guardrails Fluent Commerce also restricts common high risk and possibly malicious actions within our platform. Automated detection, prevention and alerting on anomalous or unauthorised activity is built into our platform and achieved through various security tools.
  • Measures for the protection of data during transmission
    See Item 1.
  • Measures for the protection of data during storage
    See Item 1.
  • Measures for ensuring physical security of locations at which personal data are processed
    The Fluent OMS is hosted, and data is stored, within data centres provided by Amazon Web Services (AWS). Fluent Commerce relies on the physical, environmental and infrastructure controls of AWS. Fluent Commerce periodically reviews certifications and third-party attestations provided by AWS relating to the effectiveness of its data centre controls.
  • Measures for ensuring events logging
    Centralised application and infrastructure security audit logs are maintained with log file integrity checks and restricted user access to authorised personnel. Audit logs are automatically analysed to detect anomalous activity.
  • Measures for ensuring system configuration, including default configuration
    Configuration is managed through source code (Git) following “everything-as-code” principles and a well-documented review/approval and release process. Automated Configuration checks exist within the platform and alert on deviation from security baselines. Guardrails exist to prevent anomalous and potential malicious activity in configuration.
  • Measures for internal IT and IT security governance and management
    Fluent Commerce has implemented the following measures in connection with IT information security governance:
    • key experts with a special focus on information security;
    • information security committee meets regularly to define evolving IT information security practices and monitor implementations; and
    • controls relating to IT information and asset security, including IT user definitions, identification and authorisation, and asset management.
  • Measures for certification/assurance of processes and products
    Fluent Commerce is working with AWS in relation to security assurance of Fluent OMS e.g. implementing the AWS well-architected framework. AWS has an extensive set of security controls and certifications relating to security used and relied on by Fluent Commerce. Fluent Commerce has implemented security processes at key stages in the SDLC, including structured quality control processes around change management to production OMS environment.
  • Measures for ensuring data minimisation
    Fluent Commerce supports the Client’s ability to minimise the personal data processed by Fluent Commerce in its capacity as data processor as follows: In context of the Fluent OMS, Fluent Commerce provides a well-defined set of data fields available as standard for capture of personal data with specific features that enable minimisation of data depending on use case, as well as a policy on what personal data is accepted for processing by the Fluent OMS when using custom attributes. The Client is responsible for 1) determining what personal data to upload to the OMS and related systems, 2) controlling the submission of that personal data, and 3) executing all subsequent actions in connection with that personal data. Fluent Commerce will not access or alter any of that personal data except under instruction from the Client provided in writing.
  • Measures for ensuring data quality
    Fluent Commerce supports the Client’s ability to ensure the quality of the personal data processed by Fluent Commerce as data processor in context of the Fluent OMS such as:
    • by providing well defined APIs with strict validation in place, including to keep personal data updated; and
    • through use of features in the OMS user console enabling personal data to be updated. Refer to Fluent OMS product documentation for more details.
  • Measures for ensuring limited data retention
    As standard, personal data processed by Fluent Commerce as a data processor is retained in the Fluent OMS, and ancillary systems if applicable (e.g. ticketing systems if applicable), only for the duration of the client agreement. The Fluent OMS is inherently flexible and can be customised by the Client to cater to their specific data retention requirements, using APIs and other features.
  • Measures for ensuring accountability
    Fluent Commerce has implemented the following measures in connection with privacy accountability:
    • COO is responsible for overarching framework;
    • business code of conduct and confidentiality terms for staff;
    • privacy committee meets regularly to assess privacy requirements for business and Fluent OMS, sub-processor decisions/reviews, monitor risks, address issues, identify improvements, prepare/review related policies; and
    • consultant DPO in EU.
  • Measures for allowing data portability and ensuring erasure
    In context of the Fluent OMS and in its capacity as data processor, Fluent Commerce supports the Client’s ability to make copies of and port personal data, and to erase personal data as follows:
    • by providing an extensive set of APIs that clients can use to enable data portability of personal data or data erasure/anonymisation. The APIs use well defined and standard data formats;
    • by the inherently flexible nature of the Fluent OMS which can be customised by the Client to cater to their specific data portability or erasure requirements, using the APIs and other features in accordance with the relevant guidance provided by Fluent Commerce;
    • by a data erasure support procedure designed to facilitate any Client requirements for end-to-end data erasure. When the client agreement expires or terminates and use by the client of the Fluent OMS comes to an end, all client’s personal data in OMS will be anonymised, aggregated and/or deleted in line with the main client agreement. Limited retention of personal data may occur in some cases such as back-ups, however if/when this occurs these are secured and placed beyond use.
  • For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter
    Fluent Commerce and the Sub-processor enter into an agreement in accordance with the DPA. Fluent will conduct reviews of the sub-processors’ security and organisational measures on a regular basis, including for example checking security certifications, and if instructed in writing by the Client, make use of any information sharing and audit rights it has under its agreement with sub-processors (including under any relevant SCCs entered into with the sub-processor).

Related content

Information Security Policy
Edited 11 days ago

The Information Security Policy is a cornerstone of Fluent Commerce's commitment to secure data and systems. It defines the safeguarding responsibilities of staff, contractors, and third parties. The policy covers a range of topics, including access control, account management, and incident response, with the goal of ensuring confidentiality, integrity, and availability of information.

Fluent Commerce staff

Fluent Commerce staff

Building Blocks
All Building Blocks
Packages & Modules
UI Components
Workflows
Settings
Interface Contracts
Rules
By Type
All Types
How-to Guides
Topics
Essential Knowledge
Releases
Sitemap
Use Cases
Glossary
Legal Resources
Platform Limits
Support Policy
Service Level Agreement (SLA) - Enterprise
Service Level Agreement (SLA) - Professional
Deprecation Policy
Extend Knowledge Content – Terms and Conditions
Information Security Policy
Data Privacy Addendum
System and Organization Controls (SOC) 3 Report

Copyright © 2024 Fluent Retail Pty Ltd (trading as Fluent Commerce). All rights reserved. No materials on this docs.fluentcommerce.com site may be used in any way and/or for any purpose without prior written authorisation from Fluent Commerce. Current customers and partners shall use these materials strictly in accordance with the terms and conditions of their written agreements with Fluent Commerce or its affiliates.

Fluent Logo