Confidentiality Requirements

The Confidentiality requirements define our intent to keep both customer and administrator PII safeguarded from unauthorised disclosure. Additionally, this section covers constraints from GDPR, CCA, and other regulations.

Definitions

Customer Personally Identifiable Information ("PII")
PII is defined as the customer's name, address(es), and phone number(s), and email address(es).

Goals

  1. To ensure that all authentication information is kept secure from all parties other than that it belongs to.
  2. To ensure that all order information is kept secure from all parties other than the store owner and the customer who performed the order.
  3. To ensure that all collected information from customers is stored in a manner compliant with all identified regulations, and is easy to manage for privacy and compliance tasks.
  4. To ensure that all network traffic is encrypted using high strength encryption to protect all MoR data in transit.
  5. To ensure that all stored data is encrypted at rest to protect against physical intrusion attacks.

Exclusions

  1. Email sent to external services may not be possible to encrypt due to the nature of the SMTP protocol. It is considered an acceptable risk to have order information sent via email to the customer.

Requirements

  1. The system shall ensure all HTTP traffic is encrypted with TLS 1.3, or a later version of TLS, using the ciphers and protocols listed in the "Modern" configuration of the Mozilla SSL Configuration Generator.
    1. The team shall, no less than once per quarter, ensure that the system is still in full compliance with the "Modern" configuration guidance. This includes adding or removing any ciphers or protocols necessary.
  2. The system shall store customer authentication information using the Blake2a encryption standard, with a minimum cost of at least 15.
  3. The system shall authenticate store owners against the WTI SSO infrastructure using the SAML standard, over HTTPS only, with strict certificate checking.
  4. The system shall allow order information to be retrieved by a customer only if the requester is authenticated as the customer who originally placed the order.
    1. The system shall consider an order placed by a signed-in customer as being authenticated if the same account is presently signed in.
    2. The system shall consider an order placed by a signed-out customer as being authenticated if the order ID and email address used are both provided.
  5. The system shall store all database content on an encrypted volume.
  6. The system shall allow an authenticated customer to remove their personally identifying information ("PII") from the system.
    1. If the customer is authenticated to a valid account, the system shall replace all PII with appropriate placeholders.
    2. If the customer does not have an account, a confirmation email shall be sent. The customer shall be prompted to input the code from the email to confirm account deletion.
    3. If the customer does not have an account, and cannot receive the confirmation email, then the system shall allow them to remove all PII except their email address. This is to ensure that a malicious actor cannot preempt the ability of a guest customer to view their order history.
  7. The system shall allow a store owner to remove a customer's PII on behalf of the customer. The system shall allow the store owner to additionally remove the customer's email address, with the warning/caveat that the customer will no longer be able to access their order history.
  8. Upon either the customer or store owner removing a customer's PII, the system shall perform all the following actions:
    1. Send an email to the customer that their PII has been removed. This step must occur before the removal of the email address, if the store owner has chosen to remove the customer's email address as well.
    2. Send an email to the store owner that the customer has had their PII removed, and any external CRM and stored email will need to be scrubbed to ensure full compliance.
  9. The system shall attempt to send email to external systems via TLS before falling back to plaintext SMTP.
  10. The system shall ensure that adequate security headers are present on all responses, including:
    1. Strict-Transport-Security (HSTS).
    2. Content-Security-Policy (CSP).
    3. X-Content-Type-Options.
    4. X-Frame-Options.