Security Policy

Last updated: December 26, 2025

Security is fundamental to our operations. This policy outlines our comprehensive approach to protecting your data, inventory, and business operations.

Security Certifications

SOC 2 Type II

Independently audited for security, availability, and confidentiality controls

HIPAA Compliant

Certified for handling protected health information (PHI)

PCI DSS Level 1

Secure payment card data handling and processing

ISO 27001

International standard for information security management

Data Encryption

Encryption in Transit

  • TLS 1.3 encryption for all data transmission
  • 256-bit SSL certificates from trusted authorities
  • Perfect Forward Secrecy (PFS) enabled
  • HSTS (HTTP Strict Transport Security) enforced

Encryption at Rest

  • AES-256 encryption for all stored data
  • Encrypted database backups
  • Hardware security modules (HSM) for key management
  • Regular key rotation policies

Access Control

We implement strict access control measures to protect your data:

  • Multi-Factor Authentication (MFA): Required for all user accounts
  • Role-Based Access Control (RBAC): Granular permissions based on job function
  • Least Privilege Principle: Users only have access to data necessary for their role
  • IP Whitelisting: Available for API access and administrative functions
  • Session Management: Automatic timeout and re-authentication requirements
  • Audit Logging: All access and changes are logged and monitored

Infrastructure Security

Network Security

  • Redundant firewall protection with intrusion detection/prevention (IDS/IPS)
  • DDoS mitigation and traffic filtering
  • Network segmentation and micro-segmentation
  • VPN access for remote administration

Application Security

  • Secure software development lifecycle (SDLC)
  • Regular security code reviews and penetration testing
  • Automated vulnerability scanning
  • Web Application Firewall (WAF) protection
  • OWASP Top 10 compliance

Physical Security

  • Tier III+ data centers with redundant power and cooling
  • 24/7 on-site security personnel
  • Biometric access controls
  • Surveillance cameras and motion detection
  • Secure cage environments for servers

Monitoring and Response

24/7 Security Monitoring

Our Security Operations Center (SOC) provides round-the-clock monitoring:

  • Real-time threat detection and analysis
  • Automated alerting for suspicious activity
  • Security Information and Event Management (SIEM)
  • Log aggregation and correlation

Incident Response

We maintain a comprehensive incident response plan:

  • Dedicated incident response team available 24/7
  • Documented response procedures and escalation paths
  • Customer notification within 72 hours of confirmed breach
  • Post-incident analysis and remediation
  • Regular incident response drills and tabletop exercises

Data Backup and Recovery

We maintain robust backup and disaster recovery procedures:

  • Continuous Backups: Real-time replication to geographically distributed data centers
  • Backup Retention: 30 days of daily backups, 12 months of monthly backups
  • Encrypted Backups: All backups encrypted at rest with AES-256
  • Regular Testing: Quarterly disaster recovery drills
  • RTO/RPO: 4-hour Recovery Time Objective, 1-hour Recovery Point Objective

Employee Security

Our employees undergo rigorous security training and vetting:

  • Background checks for all employees with data access
  • Mandatory security awareness training upon hire and annually
  • Phishing simulation and social engineering testing
  • Signed confidentiality and non-disclosure agreements
  • Immediate access revocation upon termination

Third-Party Security

We carefully vet all third-party vendors and service providers:

  • Security assessments before vendor onboarding
  • Regular security audits of third-party systems
  • Data processing agreements and BAAs (Business Associate Agreements)
  • Vendor access limited to minimum required permissions
  • Annual recertification of vendor security controls

Compliance and Audits

We maintain compliance through regular audits and assessments:

  • Annual SOC 2 Type II audits by independent third parties
  • Quarterly vulnerability assessments and penetration testing
  • Continuous compliance monitoring
  • Regular policy reviews and updates
  • Audit reports available to customers under NDA

Reporting Security Issues

We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly:

Security Team

Email: security@3plship.com

PGP Key: Download Public Key

We commit to acknowledging reports within 24 hours and providing updates every 48 hours until resolution.

Security Updates

This Security Policy is reviewed and updated quarterly. Material changes will be communicated to all customers via email. For questions about our security practices, contact our security team at security@3plship.com.

← Back to Home
Privacy PolicyTerms of ServiceContact Us