Customer payment information never passes directly to Submarine. All sensitive payment details are sent directly from the Shopify Plus Checkout to the merchants' payment processor, after which a tokenised version of the payment method is created and passed back to Submarine.
We conform to industry standards for web application security.
Submarine is built by an engineering team with extensive experience developing, deploying and managing web applications in a secure environment. We are members of the Open Web Application Security Project (OWASP) and aim to meet Level 2 standards of the OWASP Application Security Verification Standard (ASVS).
Yes, to the extent needed for the operation of the platform.
We try to minimise the amount of customer data stored within Submarine to reduce the risk footprint for merchants. However, the nature of the platform requires that some customer information (customer IDs, customer email addresses, customer order contents, and customer addresses) are stored within Submarine.
All customer data within the platform remains the property of the merchant and will never be shared or sold to third parties. A guarantee to this effect forms part of the standard Submarine contract terms.
All Submarine data is periodically backed up off-site (using Tarsnap, a highly secure encrypted backup service used by many companies handling sensitive information including Stripe).
Tarsnap ensures that data is fully encrypted on our servers before transmission.
Disco Labs has developed a template DRP that can be tailored to each merchant using the platform.
As with our DRP, Disco Labs has developed a template BCP that can be tailored to each merchant using the platform.