Safeguarding Your Data

Protecting your data is our responsibility. While we prefer not to reveal too much information, as secrecy is a crucial aspect of security, the following technical and organizational measures should provide you with some assurance:

Scope of Service

Floynk delivers Product Information Management and Order Management services, offering clients a unified platform to manage all their product content and order fulfillment tasks.

Data centers

Floynk's physical infrastructure resides in DigitalOcean's secure data centers and is powered by DigitalOcean technology. These data centers hold certifications for various security standards, such as:

ISO 27001 AICPA SOC 2 Type II and SOC 3 Type II certified Cloud Security Alliance (CSA) STAR Level 1 PCI Level 1

DigitalOcean enforces a high level of physical security to safeguard their data center with military grade perimeter controls and security staff at all points of ingress. As for environmental protection, DigitalOcean has sophisticated fire detection and suppression equipment, fully redundant power infrastructure with integrated UPS units and high-end climate control systems to guarantee an optimal working environment for the hardware. For a more in-depth view, we refer you to the DigitalOcean Security.

System Operations

We employ a multi-layered security strategy. Internally, each Node is built around a fortified Linux kernel, which enforces robust privilege and resource separation mechanisms at the OS level. All operating systems and software components are maintained up-to-date.

At the next level, each Node resides within isolated virtual containers, ensuring total logical separation of Apps. Every App operates within its distinct environment and cannot interact with other applications or system areas. Moreover, the container technology allows strict resource capping, significantly reducing the shared environment's bad neighbor effect. The setup is designed to isolate or enhance resources swiftly.

Penetration testing

Independent security researchers conduct third-party security testing at irregular intervals. We review the findings from each vulnerability assessment with the evaluators, rank the risks, and address them promptly.

Monitoring for Abuse

Both algorithms and human operators monitor user and system activity for signs of abuse.

Firewall Protection

Externally, we utilize network firewalling and fortified TCP/IP stacks to counter resource exhaustion attempts. The underlying infrastructure prevents sniffing and spoofing attacks.

By default, all outgoing traffic on all ports is blocked, except for standard ones (http, https, dns, etc.)

Web Interface

All communication with the Web interface is encrypted via TLS. Users are automatically logged out after a period of inactivity. Re-authentication is required for "high-risk actions." 2FA is available.

Internal Procedures

Employees receive training in safety aspects and best security practices, including identifying social engineering, phishing scams, and hacking attempts. All employees agree to privacy protection policies outlining their responsibility in safeguarding client data.

Regularly evaluated binding internal security policies are in place. We consistently check whether all responsibilities have been explicitly assigned and are practicable. Documented rules and contingency plans are established.

Employee computer systems are secured with encrypted file systems and password authentication.

Access Management

All server accesses feature individual minimal rights and are transmitted using encrypted methods. SSH access is "jailed" with outbreak prevention. Access is only granted via key-pair authentication and, when possible, through multi-factor authentication. All connections to the server are made through encrypted channels and protocols.

Encryption Techniques

All Personally Identifiable Information (PII) and sensitive access data are stored using "hashed + salted" methods. Asymmetric encryption and AES (Advanced Encryption Standard) encryption are implemented.

Data Retention

All PII will be removed after 30 days from creation. If the law requires retaining archival copies of PII for tax or similar regulatory purposes, requests should be made directly to the Marketplace itself.

Vendor Relationships

We thoroughly evaluate all subcontractors for their privacy and security suitability. Appropriate terms and conditions are established.

In summary, we take your data security seriously and implement a variety of technical and organizational measures to ensure your information is protected. Our multi-layered security strategy, coupled with secure data centers, encryption techniques, access control, and internal protocols, work together to safeguard your data. We also maintain strong relationships with our subcontractors, ensuring they meet the necessary security and privacy requirements.