Security

Last updated: 2025-10-09

1. Our Security Principles

ORCA (Order Ready Commerce Automation) is built with security by design. We protect your data using layered administrative, technical, and physical controls, continuously improving our posture and aligning with Amazon SP‑API and industry best practices.

2. Data Encryption

• In transit: All traffic uses TLS. HSTS is enforced on publicly reachable endpoints.
• At rest: Sensitive data (including backups) is encrypted using strong algorithms (e.g., AES‑256).
• Key management: Encryption keys are centrally managed with strict access and rotation policies.

3. Access Control & Authentication

• Least privilege: Role‑based access control limits production access to authorized personnel.
• MFA: Multi‑factor authentication is required for administrative and production systems.
• Secrets management: Credentials and tokens are stored in a secret manager; no hard‑coded secrets.
• Periodic reviews: Access is reviewed at least quarterly and immediately upon role change.

4. Network Security

• Segregated VPCs, security groups, and firewalls restrict ingress/egress.
• Intrusion detection and anomaly monitoring help identify suspicious activity.
• Administrative interfaces are restricted and audited.

5. Secure Development Lifecycle

• Peer reviews for code changes and security checks in CI.
• Dependency management with vulnerability alerts and timely patching.
• Training for engineers on secure coding and data handling.

6. Logging & Monitoring

• Centralized logging for security and access events.
• Alerting on authentication failures, privilege escalations, and abnormal patterns.
• Security and access logs are retained for at least 90 days.

7. Incident Response

We maintain documented procedures to detect, investigate, and remediate incidents. If we determine that your data has been impacted, we will notify you and any required authorities consistent with applicable law and platform policies.

8. Data Retention & Deletion

• Amazon SP‑API: Amazon customer PII (e.g., recipient name, shipping address, email, phone) is retained only as long as necessary to provide the services you enable and is deleted no later than 30 days after order delivery unless a longer period is required by law.
• QuickBooks Online: Retained only as long as needed to provide services. You may disconnect at any time; we then cease access and delete or anonymize data subject to legal obligations and backup cycles.
• Backups: Encrypted backups follow defined retention schedules; backup data is purged on a rolling basis.

9. Business Continuity & Disaster Recovery

• Regular, tested backups and documented restoration procedures.
• Defined RTO/RPO objectives and recovery playbooks.

10. Environment Separation & Data Minimization

• Production data is not used in development or testing environments.
• Scopes and permissions are minimized to only what is necessary for requested features.
• PII is masked in logs and user interfaces where full values are not needed.

11. Vulnerability Management & Testing

• Routine vulnerability scanning with prioritized remediation timelines.
• Periodic penetration testing; identified issues are tracked through remediation.
• Timely patching of operating systems, runtimes, and dependencies.

12. Sub‑processors

We use carefully selected service providers (sub‑processors) for hosting and supporting services under written agreements requiring confidentiality, security, and processing only under our instructions. A current list is available on our Sub‑processors page.

13. Responsible Disclosure

We welcome reports from the security community. If you believe you have found a vulnerability, please contact us at support@killerwarehouse.com with details so we can investigate. Please avoid public disclosure until we have had a reasonable opportunity to remediate.

14. Contact

Questions about our security program? Reach us at support@killerwarehouse.com or by mail at: ATTN: ORCA - Killer Warehouse, 940 W 1400 N, Logan, UT 84321.