Skip to content
CloudCommerce
Start
Security & Trust Center

Enterprise
Security

How we protect your data and maintain platform security

Effective: December 20, 2025 | Last Updated: December 20, 2025

Encryption

TLS 1.3 in transit, AES-256-GCM at rest

Monitoring

24/7 security monitoring & incident response

Compliance

GDPR, CCPA, SOC2-ready (in progress)

1. Shared Responsibility

Cloud Commerce Responsible For:

  • Platform infrastructure security
  • Access controls & monitoring
  • Vendor security management
  • Incident response & breach notification

You Responsible For:

  • Account credentials & devices
  • Strong passwords & access control
  • API keys & integration security
  • Compliance with laws

2. Data Protection

  • Platform Data: Account admin, billing, support
  • Merchant Customer Data: Processed on your behalf (see DPA)
  • Prohibited: No HIPAA/PHI, biometric data, government IDs (unless expressly supported)

3. Access Controls

  • Role-based access, least privilege
  • JWT authentication with rotation
  • Internal access logging for admin actions
  • Multi-factor authentication (where supported)

4. Encryption

  • In Transit: TLS 1.3 for all Service communications
  • At Rest: AES-256-GCM for sensitive data
  • Integration configs: Encrypted before storage
  • Backups: Encrypted

5. Application Security

  • Secure configuration practices
  • Environment separation (dev vs. production)
  • Restricted admin access
  • Change management controls

6. Monitoring & Logging

  • Real-time security event monitoring
  • Fraud and abuse detection
  • Audit logging (where enabled)
  • Performance and error tracking

7. Vulnerability Management

  • Security patches on risk-based schedule
  • Vulnerability assessment and remediation
  • Responsible disclosure process (see below)

8. Incident Response

If Personal Data Breach affecting data processed on your behalf:

  • Notification: Within 72 hours (as required by law/DPA)
  • Info provided: Nature, affected data, mitigation steps
  • No admission: Communications for compliance, not admission of fault

9. Vendor Security

We use vetted subprocessors (hosting, AI, payments). See Subprocessors List.

10. Data Retention & Backups

  • Retain only as necessary (service delivery, security, legal compliance)
  • Daily automated backups (encrypted)
  • Backups may persist in limited cycles, then deleted
  • 30-day export window after termination

11. Availability

  • Target: 99.9% uptime (Phase A SLOs)
  • Circuit breakers for external dependencies
  • Error budgets and auto-protect mechanisms
  • No absolute uptime guarantee (except Team plan SLA)

12. Report Security Issues

Vulnerability Disclosure:

Email: [email protected]
Subject: "Security Vulnerability Report"

Include: URL/feature, reproduction steps, impact, contact info

Rules:

  • Don't access/modify data not yours
  • Don't disrupt Service (no DoS testing)
  • Don't publicly disclose before we can mitigate
  • No social engineering

13. No Bug Bounty

We don't promise compensation for reports unless we explicitly offer bug bounty in writing. Good-faith reports appreciated.

Document ID: SECURITY-v1.0.0
Entity: LaunchDS LLC (d/b/a Cloud Commerce)
Security Contact: [email protected]
See also: Privacy Policy, DPA