Data Storage and Classification Policy

Last Updated: 6th Apr, 2023

Purpose:

The purpose of this policy is to ensure the confidentiality, integrity, and availability of data collected, stored, and processed by EasyStore Commerce Sdn Bhd. This policy will establish guidelines for data classification and storage to minimize the risk of unauthorized access, disclosure, alteration, or destruction of data.

Scope:

This policy applies to all data collected, stored, and processed by EasyStore Commerce Sdn Bhd, including but not limited to customer data, payment information, product information, and company descriptions.

Policy:
  1. Data Classification
    1. Public Data Public data is any information that is freely available to the public or can be accessed without any restrictions. Examples of public data include product information, company descriptions, and customer reviews.
    2. Private Data Private data is any information that is confidential and should only be accessed by authorized personnel. This includes customer contact information, payment information, and any other personally identifiable information (PII).
  2. Data Storage and Encryption
    1. All data collected, stored, or processed by EasyStore Commerce Sdn Bhd will be stored in a secure environment that is protected by firewalls and other security measures.
    2. Private data will be encrypted to ensure its confidentiality. We will use database encryption to secure our database, and access tokens and secrets will be encrypted before storing them in the database. All encrypted data will be protected by strong cryptographic algorithms and keys, and access to these keys will be restricted to authorized personnel only.
    3. All backups of data will be encrypted and stored securely.
    4. Data retention will be in accordance with applicable laws and regulations.
  3. Access Control
    1. Access to private data will be restricted to authorized personnel only.
    2. Access to private data will be granted on a need-to-know basis.
    3. Access to private data will be logged and monitored to detect any unauthorized access or attempted access.
    4. Any data breaches or attempted data breaches will be reported to the appropriate authorities and affected parties as required by applicable laws and regulations.
  4. Data Deletion
    1. Private data will be deleted upon request by the user or customer
    2. Private data that is no longer needed will be deleted after one (1) year from the date of discontinuation of the user's or customer's account or use of the ecommerce SaaS platform.
    3. Any physical storage media that contains private data will be destroyed securely to prevent unauthorized access or disclosure.
  5. Data Storage of Data on Organizational Devices and Removable Media
    The security and confidentiality of data, including but not limited to Meta platform data, are of utmost importance to EasyStore Commerce Sdn Bhd. To safeguard this sensitive information, the following guidelines must be strictly adhered to:
    1. Organizational Devices: All data, regardless of its classification as public or private, must not be stored on any organizational devices, including laptops, phones, or any other company-owned equipment. Company-owned devices are designated for business purposes and should not be used to store any data.
    2. Removable Media: The use of removable media, such as USB devices and phones, for storing any data is strictly forbidden. Data stored on removable media can be easily misplaced, lost, or accessed by unauthorized individuals, which poses a significant security risk to the organization.
    3. Personal Devices: Data classified as private, collected, processed, or accessed through the platform must not be stored on personal devices, including but not limited to personal laptops and tablets. Personal devices are outside the organization's control and may lack the necessary security measures, making them susceptible to breaches and unauthorized access. To ensure the integrity and protection of data, it must be exclusively stored on authorized and secure cloud storage solutions or company-designated servers.
    Failure to comply with these storage guidelines may result in severe consequences, including disciplinary action up to and including termination of employment or contract. By strictly adhering to this policy, we collectively contribute to maintaining the confidentiality and security of data, safeguarding both the organization and our valued customers.

Enforcement:

This policy will be enforced by the Security Team. Violations of this policy may result in disciplinary action, up to and including termination of employment or contract.