Designed for retail businesses interested in accelerating their growth through the use of advanced email marketing, CM Commerce helps companies by giving them the ability to easily create professional, automated email campaigns that streamline engagement throughout the customer lifecycle, increase conversions and build trustworthy brands.
With CM Commerce’s deep integrations with Shopify, WooCommerce, BigCommerce and PrestaShop, small business owners can easily integrate their storefronts with the platform to begin utilizing features such as abandoned cart emails, post-purchase surveys, and product reviews without traditional complexities and with the confidence that security and privacy is maintained at all times.
Our adaptive, forward-looking measures are our promise to you.
Dedicated security team
We have a dedicated information security team, responsible for securing the application, identifying vulnerabilities and responding to security events.
Data storage and processing locations
We store and process data in a cloud environment based in the European Union (EU) which meets critical standards that fulfill requirements of a variety of compliance mandates, including SOC 2 Type II and ISO27001.
In addition, we also use Amazon Web Services (AWS) as well as their CloudFront Content Delivery Network (CND) for faster content caching. More on Amazon’s CloudFront can be found here: https://aws.amazon.com/cloudfront/features/
We have a security policy in place aligned with the ISO 27001 standard. Our security documentation is frequently reviewed and updated to reflect changes to our processes made in response to newly identified threats, as well as our commitment to continuous improvement.
We use the NIST Cyber Security Framework to measure our ability to identify, protect, detect, respond and recover from security events.
Awareness and training
All staff and contractors go through a vetting process where they are subject to background checks and confidentiality agreements.
All employees receive security awareness training at onboarding and on an yearly basis. Additional training is also provided as needed based upon existing threats and/or new legislation.
We implement physical controls designed to prevent unauthorized access to, or disclosure of, customer data.
Data center controls
Hosted on Heroku, we leverage the state of the art cloud services offered by AWS where 24×7 monitoring for all aspects of operational security and performance is in place. They are also equipped with multi-stage security using proximity card access control system at ingress and egress doors, stringent access protocols and procedures with archived color CCTV monitoring and ingress biometric controls.
Access is limited to authorized data center personnel; no one can enter the production area without prior clearance, appropriate escort and business justification. Every data center employee undergoes background security checks.
More on AWS physical controls can be reviewed here.
Data center compliance
Our cloud provider has the following certifications: ISO 27001, SOC 1 / 2 / 3, IRAP, ISO 27018 and ISO 9001.
More about the AWS compliance program can be found here.
Our application has been designed with focus on security by leveraging OWASP-aligned security principles for software engineering, encryption technologies and security assurance. We evaluate our secure coding maturity using the OWASP SAMM model.
Our infrastructure is subject to security benchmarking and monitoring so that we maintain or exceed industry security standards. We also use a combination of regular scheduled scans of our application, as well as bug bounty programs, to ensure that every area of our application has undergone rigorous security testing.
Our scheduled vulnerability assessment scans simulate a malicious user, while maintaining integrity and security of the application’s data and its availability. We also leverage the services of an external third party to perform a yearly penetration testing exercise against our platform to make sure we’ve got every angle covered.
Our security program encompasses a number of advanced security controls including a Web Application Firewall (WAF) and Runtime application self-protection (RASP) . Baseline configurations are monitored in real-time with systems configured to alert on a number of key activities and behaviours but to also perform automated tasks to prevent unauthorized access.
Secure code development
We follow a continuous integration methodology for software engineering. Our development methodology and approach addresses security needs by undertaking code reviews as part of the code release process. All releases are deployed to our staging environment for testing before being deployed to production.
We have separate environments and databases for different stages of the application development.
Data encryption and Usage
To protect data, we encrypt information at rest, including our backups, using AES 256. We maintain encryption for data in transit over the public internet by supporting TLS 1.2 or better.
Our reputation is critical to our and clients’ success, and therefore, privacy is a cornerstone of our operations. The bottom line is that we’ll never use the information you entrust to us for purposes other than that information’s intended use. See our full privacy notice for more details.
We offer our customers data protection by storing it within a unique identifier, which is used to retrieve data via the application or the API. Each request is authenticated and logged.
We put considerable effort into ensuring the integrity of sessions and authentication credentials. Passwords storage and verification are based on a one-way encryption method, meaning passwords are stored and validated using a strong salted hash.
The databases are further protected by access restrictions, and key information (including your password) is encrypted when stored. Data is either uploaded directly into the application using a web browser or uploaded via the API, which uses secure transfer protocols.
Logging and cookie management
All key actions on the application are centrally logged, audited and monitored. For instance whenever our staff access an account for maintenance or support functions, such activities are logged so we can refer to them later.