Security Policy

1) Scope & Applicability

This Security Policy applies to our public website, e-commerce operations, customer support systems, and internal business systems used to process customer orders and related data. For how we collect, use, share, and retain personal data, please see our Privacy Policy.

2) Security Principles

• Least privilege: access is limited to the minimum necessary for a task.
• Defense in depth: multiple layers across network, application, and data.
• Secure by default: hardened configurations and safe defaults.
• Risk-based: prioritization based on impact and likelihood.
• Continuous improvement: monitoring, reviews, and iterative hardening.

3) Technical Controls

• Transport encryption: HTTPS/TLS for all pages and APIs.
• Encryption at rest: applied where feasible to databases, backups, and sensitive logs.
• Key management: restricted access to secrets and keys; rotation where supported.
• Network security: firewalls, WAF/rate-limiting, and IP restrictions for admin endpoints.
• Hardening: minimal services, vendor-recommended security settings, and timely patching.

4) Access Management

• Authentication: strong passwords and multi-factor authentication (MFA) for internal systems.
• Authorization: role-based access control (RBAC) and least-privilege provisioning.
• Lifecycle: joiner/mover/leaver reviews and periodic access recertification.
• Segregation: separation of duties for production access and approvals.

5) Secure Development & Change Management

• Code reviews & change control prior to deployment.
• Dependency hygiene: routine updates and known-vulnerability checks.
• Secrets handling: no hard-coded secrets; managed secret stores where possible.
• Environment separation: development/staging isolated from production.
• Configuration management: versioned, peer-reviewed changes.

6) Vulnerability Management

• Scanning: periodic scans of applications and infrastructure.
• Patching: updates prioritized by severity and exploitability.
• Testing: targeted assessments and third-party testing where appropriate.

We aim to remediate high-risk issues promptly based on risk and operational impact. If a vulnerability presents immediate risk, we prioritize temporary mitigations while a permanent fix is prepared.

7) Logging & Monitoring

• Audit logs: key security events are logged and reviewed periodically.
• Monitoring: alerts for suspicious activity and access anomalies.
• Retention: logs retained consistent with our data retention approach.

8) Data Classification & Retention

• Personal & order data: processed to fulfill purchases and provide support.
• Payment data: card payments are processed by PCI-DSS compliant gateways; we do not store full card numbers or CVV.
• Minimization: collect and retain only what we need for the stated purpose.

For full details, see our Privacy Policy.

9) Backups & Business Continuity

• Backups: regular backup procedures and periodic restore tests.
• Continuity: plans to reduce downtime and data loss during incidents.

10) Vendors & Third-Party Services

• Due diligence: confidentiality/data-processing terms and security posture reviews.
• Payment gateways: PCI-DSS compliant processors for card transactions.
• Minimum necessary access: vendors receive only the data needed to provide their service.

11) Physical Security

• Operations Hub (Warehouse & Fulfillment): restricted areas, visitor logs, and environmental controls aligned with product requirements.
• Experience Center (Showroom & Pickup): customer-facing area with controls to safeguard point-of-sale devices and stock.
• Registered Office: administrative/legal correspondence only; no retail operations.

12) Incident Response & Notification

We maintain procedures for detection, containment, investigation, and remediation of security incidents. Where required by law, we will notify affected users and relevant authorities. If you suspect misuse of your account or data, please contact us immediately.

13) Responsible Disclosure (Security Researchers)

We welcome good-faith reports. Please email security@australiangoods.com.bd with a description, steps to reproduce, affected URLs/parameters, and your contact details.

• Do: test only your own account, avoid data access beyond what’s necessary to demonstrate the issue, and give us reasonable time to fix.
• Don’t: perform DDoS/stress tests, social engineering, physical intrusion, or privacy-intrusive actions (e.g., exfiltrating personal data).
• Attribution & credit: we’re happy to credit researchers (with consent) once an issue is resolved. No bug-bounty payments at this time.

14) Your Responsibilities

• Use a strong, unique password and keep it private.
• Beware of phishing—check senders and links before you click.
• Keep your devices updated with security patches.
• Contact us if you notice suspicious activity in your account.

For payment safety tips and options, see Payment Methods.

16) Security Contact

• ✉️ Email (security reports): security@australiangoods.com.bd
• ✉️ General support: support@australiangoods.com.bd
• 📞 Customer Care: +88 0140 445 8888 (Sun–Thu 10:00–17:00)
• 🏬 Visit: Experience Center: product/service issues (not for security disclosures) — Holding #499, Road #34, Mohakhali, DOHS, Dhaka 1206, Bangladesh (Sun–Thu 10:00–17:00; Fri–Sat closed)

Last updated: Sep 27, 2025