1. Scope

This policy covers security practices for our online store, checkout, and supporting systems operated on the Shopify platform. For information about how we collect and use personal data, see our Privacy Policy.

2. Platform & Infrastructure Security

• Hosted on Shopify: Our store runs on Shopify’s secure infrastructure with built-in network hardening and DDoS protections.
• HTTPS Everywhere: All pages are served over TLS. We encourage HSTS to promote secure connections.
• Encryption at Rest: Customer platform data stored by Shopify is protected using industry-standard controls.
• Uptime & Resilience: Shopify maintains resilient infrastructure and backups to support availability and disaster recovery.

Shopify is a PCI DSS Level 1 validated service provider. See Section 3 for cardholder data controls.

3. Payment & Card Data Security

• PCI Compliance: Payments processed via Shopify’s checkout meet PCI DSS requirements. Evanvias does not store full credit card numbers or CVV.
• Tokenization: Card data is sent directly to the payment processor over encrypted connections; we receive only non-sensitive tokens.
• Secure Checkout: Checkout pages are hosted by Shopify and protected by TLS, anti-fraud checks, and rate limiting.
• Alternative Payments: Supported wallets (where available) add device-level security and biometrics.

4. Data Protection & Access Control

• Least-Privilege Access: Staff accounts are provisioned with only the permissions required for their role.
• Multi-Factor Authentication: We require 2FA for administrative access where supported.
• Audit & Logging: Administrative actions and app activities are reviewed periodically.
• Data Minimization: We collect and retain only what’s needed to fulfill orders, support customers, and comply with law.
• Secure Transfers: Sensitive exports are limited and shared over encrypted channels where applicable.

5. Third-Party Apps & Integrations

• Vetting: We install only trusted apps with clear business need and verified security posture.
• Scoped Permissions: App permissions are limited to the minimum required.
• Ongoing Review: We periodically audit installed apps and remove those no longer needed.

6. Fraud Prevention & Order Review

• Risk Screening: Orders may be screened for indicators such as address mismatch or unusual velocity.
• Manual Verification: High-risk orders may require additional verification or be cancelled if fraud is suspected.
• Account Abuse: We may restrict or disable accounts associated with abusive or fraudulent activity.

7. Security Incident Response

• Detection & Triage: We investigate suspected incidents promptly and coordinate with Shopify support where needed.
• Containment & Remediation: We limit impact, rotate credentials, remove malicious components, and patch vulnerabilities.
• Notification: Where legally required, we will notify affected customers and regulators without undue delay.
• Post-Incident Review: We conduct root-cause analysis and improve controls to prevent recurrence.

8. Your Role in Security

• Use a strong, unique account password and keep your device and browser up to date.
• Do not share one-time passwords or access codes with anyone.
• Access our site only via https:// and avoid placing orders on public/shared devices.
• Report unusual account activity or suspicious messages referencing your order immediately.

9. Report a Security Issue

If you believe you have discovered a vulnerability or security issue affecting our store, please email security@evanvias.com with a clear description and steps to reproduce. Please avoid accessing other customers’ data, running automated scans against checkout, or disrupting service.

Safe Harbor: We will not pursue legal action against good-faith reports that follow responsible disclosure practices. We do not currently operate a paid bug bounty program.

10. Changes to This Policy

We may update this Security Policy from time to time. Material changes will be posted on this page with an updated “Last updated” date. Changes apply prospectively from the date of posting.

11. Contact

Questions about this policy? Contact us at security@evanvias.com or via our Contact page.