Last updated: June 2026

Introduction

At SWAP Commerce, we are committed to protecting the privacy and security of our users and customers' data. This document outlines our security and privacy posture, as well as the measures we take to ensure the confidentiality, integrity, and availability of our users and customers' data.


Information Security Program

Security is a foundational principle at SWAP Commerce — not an afterthought. Our Information Security Program follows industry best practices, policies, and procedures to guard against unauthorized access and protect customer and merchant data.

We conduct regular reviews and enhancements to comply with the latest industry standards. Our security controls include:

- Identity & Access: Single Sign-On (SSO), Multi-Factor Authentication (MFA), and Role-Based Access Control (RBAC) across all systems
- Endpoint Protection: Endpoint detection and response (XDR) and Mobile Device Management (MDM) for all company devices
- Cloud Security: Cloud Security Posture Management (CSPM) and cloud workload protection across our infrastructure
- Vulnerability Management: Continuous scanning aligned with OWASP Top 10 and NIST standards (SAST, DAST, infrastructure-as-code analysis)
- Data Loss Prevention: DLP tooling to prevent unauthorized data exfiltration
- Web Application Firewall (WAF): Protecting all public-facing APIs and application endpoints
- Log Management & SIEM: Centralized log collection and real-time security event monitoring
- Threat Detection: Machine learning-assisted anomaly detection for proactive threat identification
- 24/7 Security Operations: Continuous monitoring with rapid incident response

For security inquiries, contact us at: devops-team@swap-commerce.com


Network Security

SWAP Commerce uses firewalls, intrusion detection and prevention systems (IDS/IPS), and network segmentation to protect our infrastructure from unauthorized access. We continuously monitor network traffic for anomalies and suspicious activity, and maintain a tested incident response plan to address potential security events promptly.


System Security

We follow industry-standard hardening benchmarks to secure our systems and infrastructure. This includes regular patching and updates, continuous vulnerability scanning and remediation, and system hardening across all environments. Endpoint protection tools are deployed across all company assets to defend against malware and other threats.


Security Operations

At SWAP Commerce, security is not an afterthought — it is baked into everything we build. We operate under a Shift Left DevSecOps philosophy, integrating security at every stage of the software development lifecycle rather than bolting it on at the end. Our security and engineering teams work as one, embedding automated security controls, threat modeling, and continuous monitoring directly into our development and deployment pipelines — ensuring vulnerabilities are identified and resolved long before they reach production.


Access Controls

Access to SWAP Commerce systems and data is governed by the principle of least privilege. We enforce:

- RBAC — role-based access control across all internal systems and customer-facing tooling
- MFA — required for all employees and privileged accounts
- SSO — centralized identity management via JumpCloud
- VPN / Zero Trust — secure remote access with Zero Trust network architecture
- User Access Reviews — periodic reviews of access rights across all company applications, systems, and tools


Security & Privacy Risk Management

SWAP Commerce takes a multi-layered approach to security and privacy risk. We conduct regular risk assessments to identify vulnerabilities and implement appropriate safeguards. Our program is aligned with ISO 27001 and industry-recognized frameworks, and our team continuously monitors for emerging threats and privacy concerns to address them proactively.


Penetration Testing

We conduct annual penetration testing and vulnerability assessments using third-party security experts. Findings are remediated and tracked to closure, with retesting performed to confirm resolution. Results are used to continuously improve our security posture.


Application Security

SWAP Commerce's application is developed following the OWASP Top 10 framework. Our secure software development lifecycle (SSDLC) includes:

- Peer code review prior to any production deployment
- Static code analysis (SAST) and dynamic testing (DAST) in the CI/CD pipeline
- End-to-end and unit testing covering authorization and access control logic
- Periodic security training for all developers
- Web Application Firewall (WAF) and CSPM protection for all APIs and applications


Logging & Audit Trails

We maintain detailed, tamper-protected logs of system activity to enable rapid detection and investigation of security incidents. Logs are stored securely with appropriate retention policies, access controls, and audit trails to ensure integrity. Our SIEM platform correlates log data across systems in real time.


Data Protection, Continuity & Retention

SWAP Commerce protects customer and merchant data through:

- Encryption at rest — all sensitive data encrypted using GCP KMS-managed keys
- Encryption in transit — all data transmitted over HTTPS with TLS 1.2 or higher enforced across all endpoints
- Regular backups — automated backups with tested recovery procedures
- Disaster recovery — documented DR and business continuity plans with regular testing
- Data retention policies — data retained only as long as necessary, with defined deletion procedures


Encryption

All data in transit between end users and SWAP Commerce is encrypted via SSL/TLS. Data at rest is encrypted using industry-standard algorithms, managed through GCP KMS. Backups are encrypted and stored securely.


High Availability

SWAP Commerce is architected for high availability using multi-region Google Cloud Platform (GCP) infrastructure with redundant systems and automated failover. Our platform is designed to minimize downtime and ensure merchants and their customers can access our services when they need them.


Security Incident Management

We maintain a formal security incident management process including:

- A defined incident response plan with clear escalation paths
- Communication protocols for notifying affected customers in a timely manner
- Regular tabletop exercises and training for the security operations team
- Post-incident reviews to drive continuous improvement


Resilience & Service Continuity

Our disaster recovery and business continuity plan ensures service availability in the event of a major disruption. Critical systems are prioritized for recovery, and our DR plan is tested regularly to validate its effectiveness.


Backups & Recovery

Automated backups of systems and data are taken on a regular schedule and stored securely with encryption. Backup restoration is tested periodically to validate recovery time and recovery point objectives.


Password & Authentication Controls

SWAP enforces strong authentication policies across all systems, including:

- Minimum password complexity and length requirements
- MFA required for all employee accounts and privileged access
- SSO via JumpCloud for centralized, auditable identity management
- Automatic account lockout after failed authentication attempts


People Security

All SWAP Commerce employees complete security awareness training during onboarding and on an ongoing basis. We conduct background checks and adhere to appropriate personnel security procedures to maintain a trustworthy team.


Third-Party Vendor Management

SWAP Commerce maintains a vendor risk management program to ensure third-party vendors with access to our systems and data meet our security standards. This includes:

- Security assessments prior to onboarding new vendors
- Contractual security and data protection requirements
- Periodic review of vendor security posture
- Vendor access governed by least privilege and revoked promptly upon offboarding


Security & Privacy by Design

Security and privacy are embedded into SWAP Commerce's product development from the start. We follow secure development methodologies, conduct security and privacy reviews at every stage of the development lifecycle, and align with internationally recognized frameworks to ensure our platform is built with protection in mind.


Change Management

All changes to production systems follow a rigorous change management process, including peer review, automated testing, and staged rollouts. This minimizes the risk of introducing vulnerabilities or instability into our platform.


Architecture & Data Segregation

SWAP Commerce uses a multi-layered security architecture with appropriate network and data segmentation to ensure customer data is isolated and protected. Access controls are enforced at every layer of the stack.


Physical Security

Our infrastructure runs on GCP, which maintains industry-leading physical security controls including access control, surveillance, and environmental protection at all data center facilities. SWAP Commerce office facilities employ access controls and security measures to prevent unauthorized physical access to company assets.


Confidentiality

We maintain strict confidentiality controls to protect customer and merchant data, including restricting access to sensitive information on a need-to-know basis, encryption of data in transit and at rest, and enforcing appropriate retention and deletion policies.


Email Security

SWAP Commerce uses Google Workspace for corporate email, which includes built-in protections against phishing, spoofing, and malware. Our email infrastructure includes SPF, DKIM, and DMARC configurations to authenticate outbound mail and prevent domain spoofing.


Compliance & Certifications

SWAP Commerce is committed to maintaining compliance with applicable data protection and security regulations. Our compliance posture includes:

SOC 2 Type 2
We are working toward SOC 2 Type 2 certification and follow the Trust Services Criteria for security, availability, and confidentiality as the foundation of our program.

GDPR Ready
SWAP Commerce complies with the EU General Data Protection Regulation (GDPR). We have implemented appropriate technical and organizational measures to protect personal data and to support data subject rights including access, rectification, erasure, and portability.

CCPA Ready
We comply with the California Consumer Privacy Act (CCPA), ensuring consumers have control over their personal data. Appropriate privacy policies, data mapping, and response procedures are in place.

HTTPS / TLS Enforcement
All data transmitted to and from SWAP Commerce is protected by HTTPS with TLS 1.2 or higher enforced across all endpoints.


Why Merchants Trust SWAP Commerce

SWAP Commerce is built for businesses that can't afford compromise — on performance, reliability, or security. Our platform is designed with enterprise-grade security controls so you can focus on growing your business, confident that your data and your customers' data are protected.

Questions about our security posture? Contact us at devops-team@swap-commerce.com