Contractor Commerce takes many steps to ensure that you and your customer data is protected and secure, in addition to being highly available as an extension of your existing website.
Security
We take your security very seriously and want to make it clear what is happening with your information.
First and foremost, we utilize TLS/SSL in the application. This security ensures that communication between you and us is private and data cannot be stolen between your server/website and our server. You should notice a green lock in your browser's address bar when you view your website. If that is not there, please contact us; do not proceed further.
In addition to secure protocols, we run monthly vulnerability scans to ensure that known and recent exploitations do not exist on our systems, and conduct regular penetration testing to ensure that no vulnerabilities exist with our application on any server that may be used to gain customer or company information.
We DO NOT store any of the information related to your credit card, bank account, business tax ID, or SSN. This information is passed directly via encrypted API to our payment service provider (Stripe), which is PCI-certified Level 1 , the most stringent level of data storage certification available in the payments industry.
Additional information about our security and compliance systems can be found here.
Email / Messaging Security
The Contractor Commerce system sends transactional emails, and optional marketing emails, on behalf you, the Contractor. All messages are sent securely in transit using TLS security protocols. Transactional messages are not optional. By using Contractor Commerce, messages like order confirmations will be sent to your customers. However, marketing messages like "Filter Change Reminders" are optional and can be enabled/disabled from the Command Center.
DNS and Domain Validation: By default, the Contractor Commerce system will send email messages on your behalf from a generic domain (contractor-email.com). It is recommended that you configure Contractor Commerce to send messages from your owned domain to increase the reputation of your messages. Once logged into your account, your on-boarding checklist will walk you through configuring your email domain using Domain Keys and DMARC records which legitimize the messages sent from your domain by the Contractor Commerce servers.
Content Security Policy
Content Security Policy (CSP) is the name of a HTTP response header that modern browsers use to enhance the security of the document (or web page). If you have implemented CSP on your website, you will need to make an update that allows the Contractor Commerce Javascript Plugin to work.
CSP and the "nonce" attribute are only used for inline javascript, but the Contractor Commerce Plugin uses external references for all scripts, however you will need to add "*.contractorcommerce.com" to your list of allowed sources in your Content Security Policy, so that our plugin is allowed to run.
Compliance
PCI Compliance
PCI compliance, or Payment Card Industry Data Security Standard (PCI DSS), is a set of policies and procedures that ensure the security of credit card transactions. Contractor Commerce is a Service Provider that uses fully PCI compliant tools to handle cardholder data. Each year, Contractor Commerce reviews PCI compliance requirements and ensure that those requirements are being met. PCI Compliance documents can be found inside your account in the Contractor Commerce Command Center, on the Help > Security page.
Accessibility
As an eCommerce provider for thousands of customers, Contractor Commerce has taken several steps to ensure that our software is fully usable by devices that help those with visual impairments can use the software effectively. We have specifically optimized our shop plugin to accommodate requirements within the American with Disabilities Act (ADA) and Accessibility for Ontarians with Disabilities Act (AODA).
Performance
The Contractor Commerce Plugin is running on thousands of websites and is designed to load quickly and not interfere with your existing site, or negatively impact website load times.
Contractor Commerce regularly tests performance against standards like Core Web Vitals to ensure that you and your customers have the best possible experience. With this in mind, you may choose to test the Contractor Commerce Plugin on a private page within your website to ensure there are no unforeseen performance or compatibility issues before implementing on a public-facing page.