Security and compliance

Answers to questions frequently asked by our enterprise customers.

How secure is Submarine?

Pretty darn secure.
We conform to industry standards for web application security.
Submarine is built by an engineering team with extensive experience developing, deploying and managing web applications in a secure environment. We are members of the Open Web Application Security Project (OWASP) and aim to meet Level 2 standards of the OWASP Application Security Verification Standard (ASVS).

Is Submarine PCI compliant?

Customer payment information never passes directly to Submarine.
All sensitive payment details are sent directly from the Shopify Plus Checkout to the merchants' payment processor, after which a tokenised version of the payment method is created and passed back to Submarine.

Does Submarine store customer data?

Yes, to the extent needed for the operation of the platform.
We try to minimise the amount of customer data stored within Submarine to reduce the risk footprint for merchants. However, the nature of the platform requires that some customer information (customer IDs, customer email addresses, customer order contents, and customer addresses) are stored within Submarine.

Does Submarine share customer data with third parties?

All customer data within the platform remains the property of the merchant and will never be shared or sold to third parties. A guarantee to this effect forms part of the standard Submarine contract terms.

Does Submarine back up data?

Yes (securely).
‍All Submarine data is periodically backed up off-site (using Tarsnap, a highly secure encrypted backup service used by many companies handling sensitive information including Stripe).
Tarsnap ensures that data is fully encrypted on our servers before transmission.

Does Submarine have a Disaster Recovery Plan?

Yes. Disco Labs has developed a template DRP that can be tailored to each merchant using the platform.

Does Submarine have a Business Continuity Plan?

Yes. As with our DRP, Disco Labs has developed a template BCP that can be tailored to each merchant using the platform.

Where are Submarine's servers hosted?

On Digital Ocean in the United States.‍ Our infrastructure is provided by Digital Ocean, with availability regions within the United States. Locating our servers in the United States was a decision made based on proximity to Shopify's servers and to the majority of our merchants' customer bases.
We have the ability to deploy Submarine to alternate regions or to in-house infrastructure if merchants have specific legal or compliance needs.