We combine enterprise-class secure development and operations to build security into our software and underlying infrastructure.
We follow industry standards, such as the OWASP Top 10 and best practices for our technology stack, to build security into our platform during development and testing. In addition, ChannelAdvisor engages with third-party security experts to perform manual web application and network penetration testing on a regular basis. Only a limited number of essential ChannelAdvisor administrative personnel are permitted to access ChannelAdvisor systems and any sensitive data. ChannelAdvisor clients are prevented from accessing the data of other clients through a robust application security model, which is reapplied with every request and enforced for the duration of a user session.
Data Protection & Privacy
Customer data is logically segmented from other customer data in our platform. Our web application access control model closely ties authorized users to their content and the functions our platform provides. To assist companies in selling and advertising their products online, ChannelAdvisor may collect personal data on our customer’s behalf. We maintain technical and organizational processes and protections for personal data in compliance with the regulatory regimes under which ChannelAdvisor operates, including the EU’s General Data Protection Regulation and the California Consumer Privacy Act. personal data is retained only as long as needed to perform our contractual obligations, or for other legitimate business reasons.
ChannelAdvisor’s continuous delivery approach to application development means we can deliver changes and upgrades to our applications without impact to availability. ChannelAdvisor uses a suite of monitoring tools to monitor the availability of its services and provide real time alerting to our teams in the event a service becomes unavailable. In addition, we monitor systems for resource utilization to avoid negative impacts on service availability.
ChannelAdvisor allows customers to create unique, individual logins and manage the access level for each individual user in their organization. Customers define roles and groups, giving them the ability to enforce role-based access controls to specific modules in our system.
ChannelAdvisor encrypts all personal data in transit and rest. ChannelAdvisor uses industry accepted secure protocols and encrypts data at rest with AES 256 bit encryption.
Security & Privacy Training
All ChannelAdvisor employees receive security and data privacy training on an annual basis.
ChannelAdvisor keeps up-to-date on any breaking security alerts, software and system patches, and other relevant updates via the CERT/CC industry alert subscription list and repository. ChannelAdvisor also monitors security alerts from vendors and partners. The necessary updates or patches are applied to the system with priority based on the severity of the issue.
ChannelAdvisor’s production servers are located in a data co-location center and in cloud service provider environments. The facilities have relevant industry certifications and provide state-of-the-art network operations centers, advanced security and monitoring systems, sophisticated fire suppression systems and redundant utility transformers, generators, automatic transfer switches, main switch panels, and uninterruptible power supplies.
ChannelAdvisor’s team has installed redundant firewalls and intrusion detection systems to monitor and protect the network perimeter. System servers and firewall log files are continuously scanned and monitored by automatic applications that record performance and availability.
Operating Systems and Subsystems
ChannelAdvisor protects its operating systems by using a minimal number of access points to all production servers and enforcing strong authentication and authorization for access. Operating systems are strengthened by continuous maintenance, including updating patch levels for security, and disabling and removing unnecessary users, protocols, and processes.
Compliance and Attestations
Cloud Security Alliance
Security and Data Privacy Standards
ChannelAdvisor has taken all necessary steps and maintained processes and protections for personal data in compliance with the General Data Protection Regulation of the European Union (“GDPR”). For information on how ChannelAdvisor complies with the GDPR, please visit this FAQ page.
ChannelAdvisor does not sell personal data and our data handling practices comply with the California Consumer Privacy Act (“CCPA”). For information on how ChannelAdvisor complies with the CCPA, please visit this FAQ.
Reporting a Security Vulnerability
At ChannelAdvisor we incorporate security into our development processes and strive to keep our platform secure. In line with this we want to offer a path for reporting vulnerabilities identified in our public websites and products.
If you have identified a specific, reproducible security vulnerability in our website or one of our products, we ask that you contact us to submit your finding to our security team using the contact form below.
Vulnerability Reporting Guidelines
- Be able to provide an appropriate level of detail including the steps needed to reproduce the issue, any code samples you wish to share, applicable screen shots, and other details that could facilitate our identification of the problem.
- Do not publicly share the vulnerability or related details without ChannelAdvisor’s express consent.
- Allow a reasonable timeframe for ChannelAdvisor to validate the vulnerability, and then to address the vulnerability and release a fix if needed. The timeframe will be estimated during our assessment of your report.
Once your submission is received, we will reach out to you to collect information about your findings. Your submission constitutes your consent with the guidelines above, and for us to collect your personal data and use it to contact you.
If you are ready to submit your finding, please provide your contact information and a description of the vulnerability you have identified in the form below. Once we receive your submission, a member of our team will contact you for more information, including the information needed to reproduce the issue.