Data Policy

Paladin Brand commits to mitigating risk to the confidentiality, integrity, and availability of sensitive customer data in any form. Controls required under applicable laws, regulations, or standards governing Personally Identifiable Information “PII” also apply. Each individual who creates, uses, processes, stores, transfers, administers, and/or destroys sensitive data within Paladin Brand is responsible and accountable for complying with these standards.

Data Creation

Data records within Paladin Brand are primarily created via secure data acquisition through our online marketplace / website (i.e. Shopify). These data records are occasionally created or edited by the Seller who owns & operates the online store on said marketplace / website. Virtually all records include PII and are used to fulfill product orders for online Buyers.

It is essential that all records are created and maintained appropriately throughout their entire life cycle. Personally Identifiable Information (PII) contained in Paladin Brand’s data records constitutes an area of critical concern because of the severe risk to Paladin Brand, its clients and connectivity partners should records be mishandled or information inappropriately accessed or disclosed. As a consequence, records containing sensitive information & PII should exist only in areas where there is a legitimate and justifiable business need.

Access Management

Paladin Brand uses a unique ID assigned to each individual with computer access to Sensitive Information. Under no circumstances do we create or use generic, shared, or default login credentials or user accounts. We have implemented baselining mechanisms to ensure that at all times only the required user accounts have access Sensitive Information. We review the list of people and services with access to Sensitive Information on a monthly basis and remove accounts that no longer require access. We restrict employees from accessing or storing Sensitive data on personal devices. We maintain and enforce “account lockout” by detecting anomalous usage patterns and log-in attempts and disabling accounts with access to Sensitive Information as needed.

Data Governance

Paladin Brand keeps inventory of all software and physical assets with access to PII. This inventory is updated every 60 days. We keep records of all data processing activities, including but not limited to, specific data fields as well as how they are collected, processed, stored, used, shared, and disposed of as they apply to PII. This record is maintained for the purpose of establishing accountability and compliance with regulations. We follow our posted Privacy Policy as it applies to customer consent and data rights per all applicable data privacy regulations.

Network Protection

All Paladin Brand servers and systems employ VPC subnet/Security Groups as well as network firewall network protection controls for the purpose of denying access to unauthorized IP addresses. Public access is restricted to approved users only.

Encryption and Storage

All PII is encrypted at rest using AES-256 industry standards. All cryptographic materials (encryption/decryption keys) and cryptographic capabilities used for encryption of PII at rest are only accessible to Paladin Brand system processes and services. We do not store PII in removable media (USB, flash drives, etc.) or unsecured public cloud applications (Google Drive, DropBox, etc). No documents containing PII are ever printed on paper.

Encryption in Transit

Paladin Brand encrypts all Sensitive Information in transit, when the data traverses a network, or is otherwise sent between hosts using HTTP over TLS (HTTPS). We enforce this security control on all applicable external endpoints used by customers as well as internal communication channels and during operational tooling. We don’t use communication channels which do not provide encryption in transit even if unused. In addition, Paladin Brand uses message-level encryption where channel encryption terminates in untrusted multi-tenant hardware.

Data Retention and Recovery

We retain PII only for the purpose of fulfilling product orders on behalf of our clients (online Sellers). This retention period is for no more than 60 days (“Hold Period”) from shipment and online confirmation of delivery to the Buyer (our client’s Customer). Paladin Brand is not required by law to retain archival copies of PII, therefore beyond the 60-day Hold Period, we do not maintain backup media of any kind for PII. In the event that PII is lost, erased or unavailable for processing due to system crash or ransomware during the 60-day Hold Period, Paladin Brand maintains a backup copy of all PII. This copy is encrypted and meets all security requirements noted in this policy. All security backups are purged with the original at the end of the 60-day Hold Period.

Least Privilege Principle

Paladin Brand employs fine-grained access control mechanisms when granting rights to any party using the Application, as well as the Application’s operators, following the principle of least privilege. Application sections or features that vend PII are protected under a unique access role, and access is only granted on a “need-to-know” basis.