At Skirtellas, safeguarding your data and checkout experience is a top priority. This Security Policy explains how we protect our storefront, payments, and customer information, and how you can help keep your account secure.
1. Scope
This policy covers the security practices for our online store, checkout, and supporting systems operated on the Shopify platform. For how we collect, use, and retain personal data, please see our Privacy Policy.
2. Platform & Infrastructure Security
Hosted on Shopify: Our store runs on Shopify’s secure infrastructure, which includes managed hosting, network hardening, and DDoS protection.
Encryption in Transit: All pages are served over HTTPS using modern TLS. We enforce HSTS to encourage secure connections.
Encryption at Rest: Customer platform data stored by Shopify is protected using industry-standard controls.
Backups & Availability: Shopify maintains resilient infrastructure and backups to support uptime and disaster recovery.
Shopify is a PCI DSS Level 1 validated service provider for card processing. See Section 3 for details on cardholder data.
3. Payment & Card Data Security
PCI Compliance: Payments processed via Shopify’s checkout meet PCI DSS requirements. We do not store full credit card numbers or CVV on our servers.
Tokenization: Card data is submitted directly to the payment processor over encrypted connections; our store only receives non-sensitive tokens.
Secure Checkout: Checkout pages are hosted by Shopify and protected by TLS, anti-fraud checks, and rate-limiting.
Alternative Payments: Supported wallets (where available) add device-level security and biometric protections.
4. Data Protection & Access Control
Least-Privilege Access: Staff accounts are provisioned with only the permissions needed for their role.
Multi-Factor Authentication: We require 2FA for administrative access where supported.
Audit & Logging: Administrative actions and app activities are reviewed periodically.
Data Minimization: We collect only the data required to fulfill orders, provide support, and meet legal obligations.
Secure Data Transfer: Sensitive exports are limited, and shared using encrypted channels where applicable.
5. Third-Party Apps & Integrations
Vetting: We install only trusted apps with a justified business need and verified security posture.
Scoped Permissions: App permissions are reviewed and limited to the minimum required.
Ongoing Review: We periodically audit installed apps and remove those no longer needed.
6. Fraud Prevention & Order Review
Anti-Fraud Signals: Orders may be screened for risk indicators (e.g., mismatched address, unusual velocity).
Manual Verification: High-risk orders may require additional verification or may be cancelled if signals indicate fraud.
Account Abuse: We may restrict or disable accounts associated with abusive or fraudulent activity.
7. Security Incident Response
Detection & Triage: We investigate suspected incidents promptly and work with Shopify support as needed.
Containment & Remediation: We act to limit impact, rotate credentials, remove malicious components, and patch vulnerabilities.
Notification: Where legally required, we will notify affected customers and regulators without undue delay.
Post-Incident Review: We perform root-cause analysis and improve controls to prevent recurrence.
8. Your Responsibilities
Use a strong, unique password for your store account and keep your device OS and browser up to date.
Do not share one-time passwords or codes with anyone, including people claiming to be support staff.
Access our site only via https:// and avoid using public/shared devices to check out.
Contact us immediately if you notice unusual account activity or receive suspicious messages referencing your order.
9. Report a Security Issue
If you believe you have found a vulnerability or security issue affecting our store, please email security@skirtellas.com with a clear description and steps to reproduce. Please avoid accessing other customers’ data, running automated scans against checkout, or disrupting service.
Safe Harbor: We will not pursue legal action against good-faith reports that follow responsible disclosure practices. We do not currently operate a paid bug bounty program.
10. Changes to This Policy
We may update this Security Policy from time to time. Material changes will be posted on this page with an updated “Last updated” date. Changes apply to security practices prospectively from the date of posting.
