Legal

Data Protection Policy

Last Updated: July 1, 2025

At Cistemics LLC, we are committed to protecting the privacy and personal data of our users. This policy outlines how we collect, process, and safeguard personally identifiable information (PII) through our services and integrations with TikTok Shop, Amazon Marketplace, and Etsy.

1. Scope

This policy applies to all PII collected, processed, or stored by Cistemics LLC through our platform, APIs, or third-party services.

2. Types of Personal Information Collected

Full name
Email address
Shipping address
Phone number (if applicable)
Purchase and order data

3. Purpose of Data Collection

We collect and use personal data to:

Fulfill customer orders and services
Provide customer support
Improve operational workflows
Comply with legal obligations

4. Legal Basis for Processing

We process data under the following legal bases:

User consent (for TikTok Shop data)
Contractual necessity (for Amazon and Etsy transactions)
Legitimate interest (for operations and fraud prevention)

5. Data Minimization

We only collect the minimum data necessary for the task. Excess data is not retained.

6. Data Sharing and Subprocessors

We only share data with trusted subprocessors under contractual obligations. These include:

Amazon Web Services (Hosting & Storage, USA)
Postmark (Email Delivery, USA)
Cloudflare (Firewall and CDN, Global)

7. Data Retention and Deletion

TikTok Shop: Data retained for no longer than 30 days
Amazon: PII is deleted within 30 days after order fulfillment
Etsy: PII retained only for the lifecycle of the transaction
Users can request data deletion at https://yourdomain.com/data-requests

8. Your Rights

You have the right to access, correct, delete, or restrict the processing of your data.

9. Contact

Email: [email protected]

Mail: Cistemics LLC, 101 Woodwinds Industrial Court, Cary NC, 27513

Data Security Policy

Last Updated: July 1, 2025

Cistemics LLC maintains a secure environment for storing and processing personal data. This policy outlines our technical and organizational measures to protect data accessed via TikTok Shop, Amazon SP-API, and Etsy integrations.

1. Encryption

All data is transmitted over TLS 1.2 or higher
Data at rest is encrypted using AES-256

2. Access Controls

Role-based access controls (RBAC) are in place
Least privilege access is enforced for all users
All admin and developer access requires two-factor authentication
Shared or hardcoded credentials are prohibited

3. Monitoring and Logging

All access to personal data is logged, including user ID, IP address, timestamp, and action
Logs are retained for 90 days or longer
Abnormal or unauthorized access is flagged with alerts

4. Penetration Testing

Annual penetration tests are conducted by third-party security firms
All critical vulnerabilities are patched within 30 days of discovery

5. Patch and Vulnerability Management

Systems are scanned weekly for vulnerabilities
Critical updates are applied within 7 days; other updates within 30 days

6. Incident Response

Security incidents are investigated immediately
Affected users and partners are notified within 72 hours
All security events are documented and reviewed

7. Hosting and Infrastructure

Daily backups are encrypted and tested monthly
Infrastructure is protected with firewall, DDoS protection, and monitoring systems

8. Data Lifecycle Management

Automated systems handle data deletion after policy-defined retention periods
Offboarding procedures revoke access to data immediately
Quarterly internal reviews ensure compliance with data handling requirements

9. Contact

For security inquiries, contact us at:

Email: [email protected]

Information Security Policy

Last Updated: July 1, 2025

Applies To: All systems and services operated by Cistemics LLC

Cistemics LLC is committed to protecting the confidentiality, integrity, and availability of the information we collect, process, and store. Our Information Security Policy establishes a framework of technical, administrative, and physical controls designed to safeguard personal data — including information accessed via our integrations with TikTok Shop, Amazon Marketplace, and Etsy.

1. Policy Purpose

This policy outlines our organization’s information security principles and controls. Its purpose is to:

Prevent unauthorized access to data
Maintain service reliability and data accuracy
Ensure secure processing of personally identifiable information (PII)
Support compliance with applicable laws (GDPR, CCPA) and platform-specific requirements

2. Scope

This policy applies to:

All Cistemics-managed systems, APIs, and applications
All personnel with access to systems that store or process customer data
All third-party subprocessors handling data on our behalf

3. Security Governance

Security is governed by our internal Security & Compliance team. Key practices include:

Annual policy reviews and risk assessments
Documentation of all operational controls and audit trails
Vendor security due diligence and contract-based obligations

4. Security Principles

Cistemics adheres to the following principles:

Confidentiality: Access to personal data is strictly limited to authorized personnel
Integrity: Data is protected from alteration through system-level controls and access logs
Availability: Systems are monitored and backed up to ensure business continuity

5. Technical Security Controls

We enforce the following technical safeguards:

Encryption in Transit: TLS 1.2+ is required for all data transmitted over public or internal networks
Encryption at Rest: All PII is encrypted using AES-256 or equivalent cryptographic standards
Role-Based Access Control (RBAC): System access is scoped to roles using the principle of least privilege
Multi-Factor Authentication (MFA): MFA is required for all administrative and privileged access
Secrets Management: API keys and credentials are stored in encrypted vaults, never hardcoded or shared
Code Security: All software is developed in accordance with secure coding standards and reviewed via code audits

6. Operational Security Measures

Patch Management: Vulnerabilities are tracked, with critical patches applied within 7 days
Logging & Monitoring: All access to PII is logged, retained for at least 90 days, and reviewed regularly
Backup & Recovery: Encrypted backups are taken daily and tested monthly
Network Security: Firewalls, intrusion detection, and DDoS protection are enforced at the infrastructure layer
Physical Security: All production hardware is hosted in ColoCrossing datacenters with restricted physical access and surveillance

7. Vendor and Subprocessor Controls

All third-party vendors are reviewed annually and bound by Data Processing Agreements (DPAs). Vendors are only granted access to data as needed and are required to maintain equivalent security standards.

Subprocessors currently in use include:

Cloudflare – TLS termination, CDN, firewall (Global)
ColoCrossing – Datacenter infrastructure, physical hardware hosting (USA)
ForwardEmail – Email routing for support inbox (USA)

8. Incident Response and Breach Notification

We maintain an internal incident response plan that includes:

24/7 security alerting on key systems
Breach impact assessment and remediation protocols
Notification to affected parties and regulators within 72 hours, as required by law or contract

9. Employee Security Practices

All team members are trained annually on data security, PII handling, and phishing awareness
Access to systems is immediately revoked upon termination or change of role
Developers are required to follow secure SDLC practices, including dependency scanning and code review

10. Policy Review and Maintenance

This policy is reviewed at least annually, or whenever there are significant changes to our operations, infrastructure, or applicable laws.

Questions or concerns?

Email our security team at [email protected] or visit https://cistemics.com/contactus

Incident Response Policy

Cistemics LLC maintains a structured Incident Response Policy to detect, contain, investigate, and report actual or suspected data security incidents that may impact the confidentiality, integrity, or availability of personal information.

1. Objective

The objective of this policy is to:

Minimize the impact of security incidents
Ensure fast, effective communication during security events
Comply with data breach notification obligations under GDPR, CCPA, and third-party platform contracts
Support forensic analysis and long-term remediation

2. Definitions

Security Incident: Any unauthorized access, use, disclosure, disruption, modification, or destruction of information assets, including PII.
Data Breach: A confirmed incident involving loss, theft, or unauthorized disclosure of PII.

3. Detection & Monitoring

24/7 logging and alerting on core systems and API endpoints
Alerts triggered by access anomalies, failed login attempts, and PII access patterns
Automated scans for file integrity and known vulnerabilities

4. Response Process

Security incidents follow a 6-phase response plan:

Identification
- Triage severity based on system logs, user reports, or automated alerts
- Assign incident lead and classification (e.g. internal breach, vendor-related, DoS)
Containment
- Isolate affected systems, disable compromised credentials
- Preserve system state for forensic analysis
Eradication
- Remove malicious code, revoke unauthorized access, and patch exploited vulnerabilities
Recovery
- Restore systems from clean backups if needed
- Monitor restored environments for recurrence
Notification
- Notify data subjects, TikTok, Amazon, or Etsy if required
- Notifications made within 72 hours of breach confirmation
- Reports include scope, type of data affected, and remediation steps
Post-Incident Review
- Conduct a root cause analysis and lessons-learned session
- Update controls or processes as needed

5. Roles and Responsibilities

Role	Responsibility
Incident Lead	Coordinates all response phases
Security Team	Triage alerts, analyze indicators, escalate issues
Engineering Lead	Containment and remediation
Legal/Data Protection	Regulatory reporting, external communication