When you (hereinafter referred to as “you” or “merchant”) use SHOPLINE’s (hereinafter referred to as “we” or “SHOPLINE”) software-as-a-service platform (hereinafter referred to as the “Platform”), it is important to understand the shared responsibility model and which security tasks are handled by SHOPLINE and which tasks are handled by you.
Security and compliance are the shared responsibilities between SHOPLINE and the merchant. As shown in the shared responsibility chart below, SHOPLINE is responsible for the security of the Platform itself and the associated infrastructures (including software, networking, services and physical facilities) used to provide the Platform to merchants. At the same time, the merchant is responsible for how it configures the platform, the security of the data stored on the Platform and the security of the user accounts, devices and third-party software or applications used to access the Platform.
We elaborate on each of SHOPLINE and the merchant’s security responsibilities further below.
As mentioned above, SHOPLINE is responsible for the security of the Platform itself and the associated infrastructures (including software, networking, services and physical facilities) used to provide the Platform to merchants.
The merchant is responsible for how it configures the platform, the security of the data stored on the Platform and the security of the user accounts, devices and third-party software or applications used to access the Platform. We elaborate on this further below.
The merchant is solely responsible for managing the information and data stored within its account in accordance with all applicable laws and regulations and SHOPLINE’s Terms of Services. This includes taking steps to ensure that its password for accessing the Platform is kept safe from any inadvertent and unauthorised disclosure, and backing up data regularly.
As the merchant is responsible for deploying its online store (hereinafter referred to as the “Merchant Store”) on the Platform, it is also responsible for the security configuration and management tasks related to such deployment. The merchant is responsible for the management of the Merchant Store (including access control and log review), any third-party application software or utilities installed by the merchant on the Platform (hereinafter referred to as “Third-Party Plugins”) and the security configuration of such Third-Party Plugins.
The merchant is responsible for the management of abstracted services such as Mailchimp and SmartPush. SHOPLINE does not assume any responsibility for the merchant’s use of these abstracted services, and so it is critical for the merchant to understand how security responsibilities are shared between the merchant and abstracted service provider, as well as what merchant data is shared by the abstracted service provider with third parties. The merchant is solely responsible for managing the data (including end consumer data) that can be accessed by the abstracted service provider, classifying the assets that can be accessed by the abstracted service provider and applying the appropriate permissions for such data and assets. IT security controls. Just as the responsibility to operate the IT environment is shared between SHOPLINE and the merchant, the responsibility to implement the appropriate IT security controls is similarly shared between SHOPLINE and the merchant. SHOPLINE is responsible for implementing controls for the infrastructure (including software, networking, services and physical facilities) used to provide the Platform, but the merchant is responsible for implementing controls related to its use of the Platform, including the storage of data on the Platform. Below are examples of controls that are managed by Shopline, the merchant and/or both.
Inherited controls – controls which the merchant fully inherits from Shopline. Examples include:
Shared controls – controls that are managed by both SHOPLINE and the merchant. In a shared control, SHOPLINE isresponsible for implementing controls for the infrastructure (including software, networking, services and physical facilities) used to provide thePlatform, but the merchant is responsible for implementing controls related to its use of the Platform, including the storage of data on the Platform. Examples include:
Merchant controls – controls that are solely the responsibility of the merchant.
