Onward prioritizes data security and privacy, ensuring that your customers' information is handled responsibly and in compliance with industry standards. This page outlines how Onward uses, protects, and secures data to maintain trust and ensure regulatory compliance.
Onward processes data solely to deliver and improve our services. The types of data we handle and their usage include:
- Customer Order Data: Order-level details such as customer names, addresses, emails, and other information necessary to provide shipping protection and manage claims.
- Email Communications: We send email communications to customers about insurance coverage and the status of their claims.
Onward implements security measures to protect data in transit, at rest, and during processing:
- Encryption: All data is transmitted via end-to-end TLS to ensure it is secure in transit. Data at rest is encrypted in our databases to prevent unauthorized access.
- Tenancy Model: Onward employs a shop-specific tenancy model to segregate customer data, ensuring that information is accessible only to authorized accounts.
- Access Control:
- Role-Based Access Control (RBAC) ensures that only authorized personnel can access sensitive data.
- Multi-factor authentication (MFA) is required for accessing engineering tools, financial systems, and password management platforms.
- Monitoring & Alerts: Tools like New Relic, Sentry, and GitHub vulnerability alerts provide real-time performance monitoring and error detection to identify potential security issues.
Onward is committed to adhering to global data protection regulations to safeguard your customers' rights:
- GDPR: Fully compliant with the General Data Protection Regulation, ensuring privacy and protection for customers in the EU.
- CCPA: Compliant with the California Consumer Privacy Act, granting customers in California control over their personal data.
- Data Retention: Onward retains data only as long as necessary to provide services. Customers can request data removal at any time.
- Breach Notification Policy: In the unlikely event of a data breach, Onward will notify affected merchants within 72 hours, detailing the nature and scope of the incident.
- Daily Backups & Disaster Recovery: Data backups are performed daily and retained for seven days to ensure availability and continuity in case of disruptions.
- Employee Training: Employees undergo regular training on data security, privacy policies, and secure development practices to maintain awareness of the latest standards and threats.
- Vendor Management: Onward carefully vets third-party providers (e.g., DigitalOcean, Cloudflare, Shopify) to ensure they meet strict security and compliance requirements.