Sansec security policies

1. Security Overview

Sansec software runs on 10% of all Magento and Adobe Commerce stores worldwide. Naturally, Sansec is a security-first company and applies high standards to our internal security operations. Our approach ensures that our eComscan agent operates with minimal risk while providing maximum protection for your eCommerce environment.

Sansec is proud security partner of Adobe, Google and Europol.

2. Product Architecture Security

2.1 Compiled Binary Security

Our eComscan agent is distributed as a compiled Go binary, which ensures code integrity and prevents tampering. Each release is cryptographically signed and verified. Signing requires GPG keys that are stored on a physical Yubikey. The signing process also requires multi-factor authentication and can only be performed by the Sansec management team. The agent operates independently without requiring external dependencies or interpreters, minimizing the potential attack surface.

2.2 Deployment Model

The eComscan agent is designed for on-premise operation, giving organizations full control over their security infrastructure. While cloud-based features are available, they are entirely optional - the core scanning functionality operates autonomously without external dependencies, except for the synchronization of the latest (non-executable) threat signatures. Organizations can run the agent in restricted accounts, with granular control over all external communications.

3. Data Privacy & Control

3.1 Data Collection

We maintain a strict data minimization policy. When cloud features are enabled, the agent only transmits technical metadata and scan results to the Sansec dashboard. The agent never accesses sensitive customer data, payment information, or transmits actual files. All reporting features are opt-in and can be completely disabled, allowing the agent to operate in a local reporting mode.

3.2 Data Transmission

All communications between the agent and Sansec infrastructure utilize TLS 1.3 with certificate pinning for enhanced security. Data transmission is protected using standard encryption protocols, and all endpoints require authentication with regularly rotated credentials.

4. Operational Security

4.1 Development Practices

Our development team follows the Secure Development Lifecycle (SDLC) methodology. This includes regular security assessments and thorough code reviews conducted by senior team members. We employ automated security testing and vulnerability scanning throughout our development pipeline, ensuring that security is built into every stage of our software development process. All code changes are version controlled and undergo multiple rounds of review before deployment.

4.2 Update Management

Security updates are handled through an automated patch management system that ensures timely delivery of critical fixes. Each update is cryptographically signed and verified before installation, maintaining a secure chain of trust. We maintain a transparent changelog and immediately notify customers of security-related updates through our advisory system. This proactive approach ensures that all installations remain current with the latest security enhancements.

5. Access Control & Authentication

5.1 Agent Authentication

Each eComscan installation receives a unique identifier that ensures secure communication with our infrastructure. Authentication is managed through cryptographic tokens that are regularly rotated to maintain security. Our system includes revocation support, allowing invalidation of compromised credentials if necessary. This multi-layered approach ensures that only authorized agents can communicate with our systems.

5.2 Dashboard Access (Optional)

For customers using our cloud dashboard, we offer access controls including role-based permissions and support for multi-factor authentication. Sessions are actively managed with automatic timeouts to prevent unauthorized access. Comprehensive audit logging tracks all access attempts and administrative actions, providing a clear trail of all system interactions.

6. Compliance & Privacy

6.1 Data Handling

Our data handling practices are aligned with GDPR requirements and follow strict data minimization principles. We maintain clear data retention policies that specify how long different types of information are stored and when they are securely disposed of. All data handling procedures are documented and regularly reviewed to ensure compliance with evolving privacy regulations.

6.2 Privacy Controls

Customers have complete control over their data. Our data collection policies are transparent and clearly documented, with regular privacy impact assessments conducted to identify and mitigate potential risks. We offer data processing agreements for customers who require additional privacy assurances.

7. Incident Response

7.1 Security Incident Management

A security response team manages our incident response program, following documented procedures for handling security events. Clear communication channels are established for reporting and managing security incidents, with regular drills conducted to ensure our team remains prepared. Our incident response procedures are regularly reviewed and updated based on emerging threats and lessons learned.

7.2 Vulnerability Management

Our vulnerability management program includes a responsible disclosure policy and rapid patch development process. We issue security bulletins when required. Our proactive vulnerability scanning helps identify and address potential security issues before they can be exploited.

8. Business Continuity

8.1 Reliability Measures

Sansec maintains a distributed development and analysis team to ensure continuous operation and support. Naturally, we perform regular backup testing. These measures ensure that our services remain available and that customer operations are not disrupted, even in exceptional circumstances.

8.2 Support & Maintenance

We provide 24/7 security monitoring and run automated security updates on all of our infrastructure. Our technical support team is readily available to assist with security-related inquiries and incidents.

9. Third-Party Security

9.1 Vendor Assessment

We conduct regular security reviews of all dependencies and maintain minimal third-party integrations to reduce potential vulnerabilities. For our vendors who process PII (Chargebee, Stripe), we require SOC 1 and 2 Type II compliance.

9.2 Security Partnerships

Sansec maintains active security partnerships with leading industry organizations for threat intelligence sharing and collaborative security research, such as Google Virustotal, Adobe and Europol. These partnerships enhance our ability to detect and respond to emerging threats.

10. Transparency & Documentation

10.1 Security Documentation

We maintain detailed security documentation that is regularly updated to reflect current practices and procedures. Security advisories are issued promptly when necessary, and clear communication channels are maintained for security-related inquiries. Technical specifications are available to help customers understand and implement our security features effectively.

10.2 Reporting & Metrics

Our security program includes regular measurement and reporting of key security metrics. We provide transparent reporting of security incidents and maintain comprehensive compliance documentation. This commitment to transparency helps customers understand our security posture and make informed decisions about their security infrastructure.

Our security policies are regularly reviewed and updated. New threats emerge on a daily basis so continuous adaptation is essential for Sansec and our customers.