Data Security Statement

At Prodigy Commerce, we understand that as an eCommerce merchant, you’re not just building an online store—you’re handling your customers’ sensitive data, including payment information, shipping addresses, and personal details. That’s why our platform is designed with security at the core, backed by industry standards like SOC 2 and PCI DSS.

Here’s how we keep your business—and your customers—safe.

1. Security is Baked Into Our Platform Culture
  • Our team operates under a formally documented Information Security Program, updated annually or when needed.
  • All team members—from engineers to customer support—undergo annual security and privacy training, including PCI DSS handling practices.
  • We perform ongoing risk assessments to ensure we’re always ahead of emerging threats across the eCommerce landscape.
2. Your Store’s Data Is Locked Down with Access Controls

Only those who absolutely need access—get access.

  • We implement Role-Based Access Control (RBAC) across our internal systems and your admin panels.
  • Multi-Factor Authentication (MFA) is required for accessing sensitive systems, such as order databases and billing engines.
  • We review and revoke access when merchants deactivate their stores or when an employee’s role changes.
3. Customer and Payment Data Are Fully Encrypted
  • All sensitive customer data (names, addresses, account info) is encrypted:
    • In transit: Using TLS 1.2+ on all endpoints including store checkouts and APIs
    • At rest: Using AES-256, including databases, backups, and cached files
  • We leverage secure Key Management Systems (KMS) for generating, rotating, and protecting encryption keys.
4. PCI DSS-Compliant Payment Handling
  • We do not store raw credit card numbers. Instead, we partner with PCI DSS Level 1 compliant payment processors.
  • Our application uses tokenization to securely store payment profiles.
  • We complete PCI DSS SAQ D-SP and undergo regular scans and internal audits.
5. Infrastructure Built to Resist Attacks
  • Our platform runs on AWS cloud infrastructure with:
    • Isolated virtual private clouds (VPCs)
    • Firewalls and web application firewalls (WAFs)
    • DDoS protection and traffic throttling
  • Services are deployed through CI/CD pipelines with automated security checks before code reaches production.
6. Secure Software Development Practices

Security isn’t something we tack on at the end. It’s part of how we build, test, and deploy our eCommerce platform from day one.

  • Secure Development Lifecycle (SDL): Security is embedded into every phase of development—from planning and coding to testing and deployment.
  • Developer Training: Our engineers are trained in secure coding best practices, including the OWASP Top 10 (common eCommerce vulnerabilities like XSS, injection, and CSRF).
  • Code Reviews: Every code change is peer-reviewed, with a focus on identifying security flaws early.
  • Automated Security Testing:
    • Static Application Security Testing (SAST) is run during builds to catch insecure code patterns.
    • Dynamic Application Security Testing (DAST) is run on staging environments to test how the platform behaves under attack.
  • Dependency Scanning: We use tools like Dependabot to monitor and patch vulnerabilities in third-party packages.
  • Segregation of Duties: Developers don’t have direct access to production systems. CI/CD pipelines manage secure deployment automatically.
  • Zero Downtime & Secure Releases: New features are rolled out behind feature flags and tested thoroughly in sandboxed environments before going live.

All of this ensures that our releases are stable, secure, and safe for your business.

7. 24/7 Monitoring and Incident Response
  • We monitor system logs, API activity, and administrative access in real-time using Security Information and Event Management (SIEM) tools.
  • Anomalies—like credential stuffing attempts or mass data exports—trigger alerts and automated defenses.
  • We have a tested Incident Response Plan (IRP) and are committed to notifying affected merchants within 72 hours in the event of a data breach.
8. Data Retention and Secure Deletion
  • Customer data, including Personally Identifiable Information (PII), is only retained as long as needed for your store’s operation or legal/compliance reasons.
  • When you delete a customer or close a store
    • Data is deleted from live systems and scheduled for secure removal from backups
    • We follow NIST 800-88 guidelines for data destruction
    • Deleted data is never used for analytics or resold
9. Regular Audits, Pen Tests & Compliance Checks
  • We undergo annual SOC 2 Type II internal audits to verify controls around security, availability, and confidentiality.
  • Third-party penetration tests are conducted at least annually and after major releases.
  • We conduct vulnerability scans monthly and patch critical issues immediately (usually within 24–72 hours).
10. Merchant and Customer Empowerment
  • Merchants have full visibility into who accesses their store data via admin audit logs.
  • Customers can request data exports or deletions, and we provide built-in tools to support GDPR and CCPA compliance.
  • Admins can set granular permissions across store staff to limit access to orders, reports, or PII.
11. Vendor & Third-Party Risk Management

We work with a small, trusted set of third-party vendors.

  • All vendors undergo security due diligence before integration.
  • Contracts include data protection agreements and require vendors to meet SOC 2 or PCI DSS standards.
  • We review vendor compliance annually and receive regular attestations of their security posture.
Contact Us

If you have questions about our data protection practices or need help with a customer data request, please reach out:

support@prodigycommerce.com
(800) 930-2902

We’re here to keep your store secure, so you can focus on growing your business.