Privacy policy

Page Contents:

The Hotel Linen Co and Your Privacy

As an online store, we are committed to protecting your privacy to the best of our ability. Any personal information you provide to us will be used to provide you with the services you have agreed to, and we strive to ensure it is safe and secure with us.

It is important for you to know and understand that it is necessary for us to collect information from you in the following circumstances:

  • When you join our customer database
  • When you order a product(s) from us
  • When you return products
  • When you send us a customer enquiry
  • When we deliver you products

 

Your Personal Information

You can visit our website without disclosing any personal information to us. If you purchase from us or choose to provide your personal information to us, we will only use this information for purposes of communicating with you. At any point in time you can unsubscribe from our marketing database by sending us an email to hello@thehotel-linenco.com.au.

The Hotel Linen Co will keep your personal information confidential and secure. All of your information is kept in a location that is protected by secure servers. If you wish to access the information we have on you at any time please contact us via hello@thehotel-linenco.com.au. The Hotel Linen Co aims to ensure all of your personal information is accurate at all times. To assist us in doing this we ask that you inform us of any changes via email, phone or by coming into our Kogarah store.

Personal information will not be disclosed without your consent, the only exception to this is where we would be required by law to do so. The Hotel Linen Co will not accept responsibility for the use of any information that has been obtained through unauthorised access.

If you have any further queries in regards to The Hotel Linen Co privacy policy you can contact our team via email hello@thehotel-linenco.com.au or calling 1300 412 934.

 

Online Security

Our website runs on a Shopify Plus platform which has successfully completed the PCI external scan requirements and is “compliant with the remote vulnerability audit requirements of the Payment Card Industry Data Security Standard (PCI-DSS)” as determined by ScanAlert, the world’s largest PCI certification service.

Security Details of Shopify’s Platform are as follows:

 

Physical Security

Shopify uses a combination of colocation facilities and virtual hosting environments. In both cases, your data is stored in data centers with industry-standard security certifications.

Facilities

Shopify’s data processing and storage takes place in North America, in facilities operated by trusted third parties.

Shopify’s servers are co-located or hosted at data centers with the following certifications:

  • Tier III
  • ISO 27001
  • PCI DSS

Site Protection

Sites housing physical servers owned and operated by Shopify are protected by:

  • Perimeter security and multi-tier security zones with alarms
  • CCTV surveillance and 24/7 on-premises security staff
  • Multi-factor identification with biometrics
  • Private cages and physical locks

In order to prevent leaking residual data, hard drives do not leave data centres. Instead, they are destroyed securely on site when they reach the ends of their lives.

 

Technical Security

Shopify develop systems with security and privacy as guiding principles. Systems undergo thorough testing throughout their life cycles. Shopify complies with the SOC 2 standard for security and availability and has a SOC 2 Type 2 report available under NDA, as well as a publicly available SOC 3 report posted on www.shopify.com/security.

Architecture

Shopify is based on a multi-tenant architecture, optimised for performance and resiliency. Merchant data is segregated by application-level controls.

The application environment on each server (the application, its dependencies, and its configuration files) is replaced when changes are deployed, which eliminates vectors for malware persistence.


Application

Maintaining application security is critical to Shopify’s development process. Shopify’s developers are trained regularly on application security best practices, including OWASP Top Ten.

An automated service running on Shopify’s code base monitors application dependencies for vulnerabilities. If a security issue is discovered in a library that Shopify use, their developers can respond quickly to mitigate any risk.


Input Validation

Customer input, such as form fields, is validated against a whitelist and decoded safely. Input validation and safe decoding protect against common attack vectors, including:

  • HTML injection
  • SQL injection
  • XSS


Encryption

Information in transit is encrypted using industry-standard cryptographic protocols:

  • SSH
  • IPSec
  • HTTPS-TLSv1.2

Many other commerce platforms use HTTPS only for checkout, but Shopify uses the HTTPS protocol for storefronts and admin pages by default as well.

Credit card information and other sensitive information in operational data stores is encrypted at rest. All user passwords are salted and hashed using the bcrypt hashing algorithm when stored.

Shopify’s security team works to implement current best practices as the cryptographic landscape evolves.

Data Disposal

A reasonable period of time after a store has closed, personal information is purged from storage automatically at the application level.

Vulnerability Scanning and Penetration Testing

Third-party vulnerability scans and penetration tests are performed regularly in order to identify and remedy potential security weaknesses. Reports can be provided on request.

Payment Card Processing

Shopify undergoes an annual PCI DSS on-site assessment by a qualified security assessor. An attestation of compliance with PCI DSS Level 1 can be provided on request.

Operational Security

Server and application performance are monitored continuously by Shopify’s production engineering team.

Configuration Management

Shopify’s configuration management tooling ensures servers have the current configuration applied.

Security patches are applied to systems hourly through an automated patching process. For systems outside of the automated process, Shopify monitors applicable vulnerability disclosure and security update sources, and patches as necessary.

Security Incident Response

Shopify’s security incident response plan is reviewed and tested regularly. All Shopify employees undergo security awareness training that covers appropriate communication and escalation processes.

DDoS Mitigation

Shopify uses a combination of techniques for DDoS mitigation.

For upstream protection, Shopify have an on-demand traffic scrubbing service that can be activated in the event of a large attack beyond the capacity of their network.

The last layer of DDoS mitigation is Provider Edge filtering, which ensures that traffic over ports commonly used for DDoS attacks are not routed into their infrastructure.