Security at Commerce Layer
Security is one of the biggest considerations in everything we do. To accomplish security at all levels, we make use of best-in-class tools and guidelines.
- Least privileges
In accordance with the least privilege principle, access should be granted only to those with a legitimate business need.
In this context, we can assign a slightly different meaning to this acronym, such as "Keep Information Security Simple". By simplifying the software design and implementation details, the attack surface or vulnerability of the software is reduced.
- Separation of duties
Separation of duties helps prevent unauthorized access to sensitive information, data breaches, and other security incidents. It does this by ensuring that no single individual has complete control over a process or system.
- Open design
Instead of relying on security by obscurity, which hides the design of the software to ensure security, we believe that software design should be open for review while remaining independent from its implementation.
Commerce Layer is certified as a PCI DSS Level I Service Provider. Our customers can take advantage of our certification to simplify their own PCI DSS compliance certification process.
Additionally, we are currently undergoing SOC 2 and ISO 27001 compliance audits.
Commerce Layer utilizes the OAuth 2.0 protocol, which is an industry-standard, to handle client authorization. All API requests require authentication. Access tokens can be obtained by executing an authorization flow using a valid application as the client. The specific authorization flow depends on the grant type. Access tokens have a lifespan of 2 hours, while refresh tokens expire after 2 weeks.
Commerce Layer supports a granular access control system at the resource level. Each access token is assigned a specific set of permissions. The client and the authorization flow determine the allowed actions for each resource.
In addition to ongoing automated malicious dependency scanning and static code analysis, our services undergo Penetration Testing at least once a year. We also perform quarterly external vulnerability scans.
Any detected vulnerability is evaluated to determine if it is truly impacting our security. If that is the case, it is immediately assigned to the appropriate team and addressed with a Service Level Agreement (SLA) based on its severity. All relevant vulnerabilities are addressed within 90 days of discovery.
Commerce Layer utilizes TLS 1.2 or higher for all data transmission over potentially insecure networks. We also enforce security features like HSTS (HTTP Strict Transport Security) to enhance the security of our data during transit. Our cloud infrastructure providers handle the management and deployment of server TLS Keys and certificates at the origin, while our CDN provider handles them at the origin.
All datastores, including databases, caches, storage buckets and filesystems, are encrypted at rest using industry-standard algorithms implemented by our cloud providers.
Encryption keys are managed using the providers' key management systems. Application secrets are encrypted and securely stored using the providers' secrets and parameters management tool. Access to these values is strictly limited.
Data retention and removal
All data is removed or anonymized as soon as possible after deletion or service cancellation. Users can also contact us to have their data removed.
System configuration and consistency are maintained by using standard, up-to-date images and infrastructure-as-code tools. This is done by replacing systems with updated deployments.
When systems are deployed, they utilize up-to-date images that have been updated with configuration changes and security updates. After deployment, existing systems are decommissioned and replaced with up-to-date systems.
Commerce Layer employees are only granted access to applications they need based on their role, and automatically deprovisioned upon termination of their employment. Employee computers are secured with encrypted hard drives and firewalls, and access to central resources and third-party services are always encrypted and protected with two-factor authentication.
Commerce Layer employees do not have physical access to data centers, nor access to the underlying cloud infrastructure.
Commerce Layer's services are built using leading cloud infrastructure providers. These providers offer fully redundant and distributed systems that run across multiple regions and availability zones. This means that even if a single component fails, there will be no significant service disruptions. Regular maintenance is performed on components without affecting availability.
The providers' load balancers and Content Delivery Networks (CDNs) are capable of mitigating various types of Distributed Denial of Service (DDoS) attacks. Additionally, our backend systems can automatically scale to handle increased load.
In the event of a disaster, our services and processes are designed to enable recovery within a few hours, with minimal to no data loss.
Employee screening and policies
All of our employees undergo relevant background checks and security training. Additionally, they are required to sign confidentiality agreements.
Access to customer data is limited to a small group of employees based on the principle of least privilege, meaning they only have access if it is necessary for their work. Furthermore, all access is monitored through dedicated audit controls.
Secure development practices
Commerce Layer provides comprehensive security training to all employees during onboarding and annually. In addition, engineers are required to attend an annual training session specifically focused on secure coding principles and practices.
As part of our Secure Development Lifecycle, we conduct code peer reviews prior to deployment. Additionally, we make use of CI/CD tools to enable efficient and systematic development, testing, and deployment of our product. This approach ensures prompt and effective resolution of potential bugs and security issues, while minimizing the risk of human error.