Compliance Center

SHOPLINE - Shared Responsibility Model

When you (hereinafter referred to as “you” or “merchant”) use SHOPLINE’s (hereinafter referred to as “we” or “SHOPLINE”) software-as-a-service platform (hereinafter referred to as the “Platform”), it is important to understand the shared responsibility model and which security tasks are handled by SHOPLINE and which tasks are handled by you.

Security and compliance are the shared responsibilities between SHOPLINE and the merchant. As shown in the shared responsibility chart below, SHOPLINE is responsible for the security of the Platform itself and the associated infrastructures (including software, networking, services and physical facilities) used to provide the Platform to merchants. At the same time, the merchant is responsible for how it configures the platform, the security of the data stored on the Platform and the security of the user accounts, devices and third-party software or applications used to access the Platform.

We elaborate on each of SHOPLINE and the merchant’s security responsibilities further below.

SHOPLINE’s Security Responsibilities

As mentioned above, SHOPLINE is responsible for the security of the Platform itself and the associated infrastructures (including software, networking, services and physical facilities) used to provide the Platform to merchants.

Merchant’s Security Responsibilities

The merchant is responsible for how it configures the platform, the security of the data stored on the Platform and the security of the user accounts, devices and third-party software or applications used to access the Platform. We elaborate on this further below.

Security of data stored on the Platform

The merchant is solely responsible for managing the information and data stored within its account in accordance with all applicable laws and regulations and SHOPLINE’s Terms of Services. This includes taking steps to ensure that its password for accessing the Platform is kept safe from any inadvertent and unauthorised disclosure, and backing up data regularly.

Security configuration and management tasks

As the merchant is responsible for deploying its online store (hereinafter referred to as the “Merchant Store”) on the Platform, it is also responsible for the security configuration and management tasks related to such deployment. The merchant is responsible for the management of the Merchant Store (including access control and log review), any third-party application software or utilities installed by the merchant on the Platform (hereinafter referred to as “Third-Party Plugins”) and the security configuration of such Third-Party Plugins.

Abstracted services

The merchant is responsible for the management of abstracted services such as Mailchimp and SmartPush. SHOPLINE does not assume any responsibility for the merchant’s use of these abstracted services, and so it is critical for the merchant to understand how security responsibilities are shared between the merchant and abstracted service provider, as well as what merchant data is shared by the abstracted service provider with third parties. The merchant is solely responsible for managing the data (including end consumer data) that can be accessed by the abstracted service provider, classifying the assets that can be accessed by the abstracted service provider and applying the appropriate permissions for such data and assets. IT security controls. Just as the responsibility to operate the IT environment is shared between SHOPLINE and the merchant, the responsibility to implement the appropriate IT security controls is similarly shared between SHOPLINE and the merchant. SHOPLINE is responsible for implementing controls for the infrastructure (including software, networking, services and physical facilities) used to provide the Platform, but the merchant is responsible for implementing controls related to its use of the Platform, including the storage of data on the Platform. Below are examples of controls that are managed by SHOPLINE, the merchant and/or both.

Inherited controls – controls which the merchant fully inherits from SHOPLINE. Examples include:

• Physical and environmental controls
• Patch management

Shared controls - controls that are managed by both SHOPLINE and the merchant. In a shared control, SHOPLINE is responsible for implementing controls for the infrastructure (including software, networking, services and physical facilities) used to provide the Platform, but the merchant is responsible for implementing controls related to its use of the Platform, including the storage of data on the Platform. Examples include:

• Configuration management – SHOPLINE maintains the configuration of the Platform’s infrastructure devices, operating system, databases and applications. The merchant is responsible for configuring the Merchant Store, Third-Party Plugins and abstracted services.
• Awareness and training – each of SHOPLINE and the merchant is responsible for training their own employees in connection with the use of the Platform.

Merchant controls - controls that are solely the responsibility of the merchant.

Data Processing Addendum

Overview

SHOPLINE aims to provide merchants with a “Software as a Service” platform (hereinafter referred to as “SHOPLINE” or the “Platform”) with all-in-one solutions for website building, leads generation, payments, logistics and other e-commerce related services.

When you visit our websites and use the Platform, we may collect and use personal information about you (including your employees and/or persons who act on your behalf). We may also collect and use personal information from your customers on your behalf under your entrustment if they visit or purchase on the SHOPLINE empowered store. We are fully aware of the importance of personal information to you and your customers (collectively the “Personal Data Subjects”) and we are committed to ensuring the integrity and security of the Platform.

Please review our Privacy Policy that applies to everyone whose information we process. The Privacy Policy will help you better understand how we collect, use, and share your personal information. We may update the terms of the Privacy Policy from time to time, and such updates shall form part of the Privacy Policy. In the event of significant or material changes, we will notify you in a prominent manner as appropriate.

SHOPLINE Data Processing Addendum

The applicable SHOPLINE Contracting Party (hereinafter referred to as “SHOPLINE”, “we” or “us”) aims to provide its customer (hereinafter referred to as “you”) a “Software as a Service” platform (hereinafter referred to as “SHOPLINE Platform”) with all-in-one solutions for website building, leads generation, payments, logistics and other e-commerce related services.

This Addendum(“Addendum”) shall become legally binding between yourself and SHOPLINE, and shall supplement our Terms and Conditions, Privacy Policy and any and all agreements we have with you governing our Services (collectively, the “Agreement”).

1. Definitions

   Terms not defined herein have the meanings set forth in the Agreement. The following words in this Addendum have the following meanings:
   1) “Controller” means an entity which, alone or jointly with others, determines the purposes and means of the Processing of the Personal Data.
   2) “Data Protection Laws” means all data protection or privacy laws, rules, regulations and guidelines applicable to the Processing of Personal Data under the Agreement, including but not limited to (i) the California Consumer Privacy Act (CCPA), (ii) General Data Protection Regulation 2016/679 (EU GDPR), (iii) Singapore’s Personal Data Protection Act 2012 (PDPA), (iv) UK GDPR or Data Protection Act 2018, and any legislation and/or regulation implementing or made pursuant to it, or which amends or replaces any of it, and any other applicable legislation.
   3) “Data Subject Request” as used in this Addendum means a request for access, erasure, rectification, or portability of Personal Data (where the relevant individual has rights to make such requests under the applicable Data Protection Laws).
   4) “Parties” means the parties to the Agreement.
   5) “Personal Data” means any information relating to an identified or identifiable natural person, and any information categorized as personal data under applicable Data Protection Laws, which is Processed on the SHOPLINE Platform in the performance of the Agreement.
   6) “Personal Data Breach” means a breach of security leading to the accidental, unauthorised or unlawful destruction, loss, alteration, disclosure, use, copying, modification, disposal of, or access to, Personal Data Processed under this Addendum.
   7) “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; and “Process” and “Processed” shall be construed accordingly;
   8) “Processor” means an entity which Processes the Personal Data on behalf of the Controller.
   9) “Sub-processor” means any processor engaged by Processor to Process Personal Data on behalf of Controller.

2. Processing of Personal Data

   1) The Parties agree that you shall be the Controller of your Personal Data, and SHOPLINE shall be the Processor of your Personal Data. In some cases, SHOPLINE may engage Sub-processors to process your Personal Data in accordance with Clause ‎6 below. For the avoidance of doubt, SHOPLINE shall never be considered a Controller of your Personal Data at any time.
   2) SHOPLINE will Process your Personal Data in accordance with your documented instructions (which may be provided to us using the SHOPLINE Platform), this Addendum and the applicable Data Protection Laws. You agree that this Addendum, the Agreement and any subsequent statements of work or service orders, and any configurations by you and your authorized users, comprise your complete instructions to SHOPLINE regarding the Processing of Personal Data. Any additional or alternate instructions must be agreed between the Parties in writing, including the costs (if any) associated with complying with such instructions.
   3) You represent and warrant that: i. you shall comply with the applicable laws, including Data Protection Laws , at all times;
   ii. you shall obtain all rights, permissions or consents from the data subjects, to which your Personal Data relate, that are necessary for your and SHOPLINE’s lawful use of such Personal Data before Processing such Personal Data, disclosing or transferring the Personal Data to SHOPLINE through the SHOPLINE Platform and providing SHOPLINE with instructions to Process your Personal Data;
   iii. your Processing of Personal Data in relation to the Agreement or receiving the Services under the Agreement shall not violate any applicable laws (including Data Protection Laws), or the rights of any party;
   iv. any and all Processing of Personal Data that SHOPLINE carries out pursuant to your instructions with your Personal Data shall not cause SHOPLINE to violate any applicable laws (including Data Protection Laws), or the rights of any party;
   v. you shall make reasonable effort to ensure that the Personal Data is accurate and complete before providing the same to SHOPLINE, and shall put in place adequate measures to ensure that the Personal Data in the SHOPLINE Platform or is otherwise in our possession remains accurate and complete;
   vi. you are the Controller of your Personal Data;
   vii. you shall indemnify SHOPLINE and its officers, employees, and agents, against all losses, liabilities, damages, costs (including all legal costs), claims, charges, expenses, actions, demands and proceedings which may be suffered or incurred by or made against SHOPLINE as a result of your breach of any representation or warranty in this Addendum, or any of your acts, omissions or negligence that cause or result in SHOPLINE being in breach of the applicable law, including Data Protection Laws.
   4) SHOPLINE shall not be responsible for determining if your instructions are compliant with applicable laws, including any applicable Data Protection Laws. However, where SHOPLINE is of the opinion that your instructions may not be compliant with applicable Data Protection Laws, SHOPLINE shall notify you as soon as reasonably practicable and shall be entitled to mitigate its risk by not being required to comply with such non-compliant instructions; SHOPLINE shall not be liable or deemed to be in default or breach of the Agreement as a result of exercising its rights to mitigate its risk under this Clause.
   5) You acknowledge and agree that you have the sole responsibility of complying with Data Protection Laws regarding the lawfulness of the collection and Processing of your Personal Data prior to disclosing, transferring, or otherwise making available, any Personal Data to SHOPLINE and that your instructions to SHOPLINE in respect of any Processing of such Personal Data are compliant with applicable laws, including any applicable Data Protection Laws. SHOPLINE shall notify you promptly, to the extent permitted by law, upon receiving an inquiry or complaint from a supervisory authority relating to SHOPLINE’s Processing of your Personal Data.

3. Security and Confidentiality

   1) SHOPLINE shall protect your Personal Data in SHOPLINE’s possession by implementing reasonable security measures (including, where appropriate, physical, administrative, procedural and information & communications technology measures) designed to help:
   i. prevent unauthorised access, collection, use, disclosure, copying, modification, or disposal, of your Personal Data, or similar risks; and
   ii. prevent the loss of any storage medium or device on which Personal Data is stored.
   2) For the purposes of this Addendum, the Parties acknowledge and agree that the arrangements set out in the Agreement are “reasonable security arrangements” sufficient and adequate to satisfy applicable Data Protection Laws and you shall not claim that reasonable security arrangements have not been put in place provided that SHOPLINE meets the requirements set out in the Agreement.
   3) You acknowledge and accept the risk of transferring data via the Internet, and that no data transmissions over the Internet can be guaranteed to be 100% secure. Data transmissions may be vulnerable to cyber hacking or any form of cybercrimes committed against SHOPLINE. Consequently, SHOPLINE cannot guarantee or warrant the security of any information you transmit to us and SHOPLINE hereby disclaims any and all liability resulting from or related to such events outside of SHOPLINE’s reasonable control; In no event shall SHOPLINE be liable for any damages (whether in contract or in tort) suffered by you that are attributable to such events.

4. Personal Data Breach

   Where SHOPLINE has reason to believe that a data breach has occurred in relation to your Personal Data that SHOPLINE is Processing on your behalf, we shall, without undue delay, notify you of the occurrence of the data breach.

5. Cooperation

   1) To the extent lawfully required or permitted, SHOPLINE will promptly notify you if SHOPLINE directly receives a Data Subject Request to exercise their rights under any applicable Data Protection Laws. Subject to the applicable laws, SHOPLINE will implement reasonable technical and organizational measures to enable you to execute Data Subject Requests that you are obligated to fulfill.
   2) To the extent required by applicable Data Protection Laws, SHOPLINE will provide reasonable assistance to you to carry out any data protection impact assessment in relation to the Processing of Personal Data undertaken by SHOPLINE and/or any required prior consultation(s) with supervisory authorities. SHOPLINE reserves the right to charge you a reasonable fee for the provision of such assistance.

6. Sub-Processing

   You agree that SHOPLINE may use Sub-processors to fulfill its contractual obligations under the Agreement and this Addendum, or to provide certain Services on its behalf, such as providing support services. SHOPLINE’s use of any specific Sub-processor to Process the Personal Data shall be in compliance with Data Protection Laws and shall be governed by a contract between SHOPLINE and the Sub-processor that contains data protection obligations that provide at least the same level of protection for the Personal Data as the obligations in this Addendum.

7. International Transfer

   1) Subject to this Clause ‎7, you acknowledge that SHOPLINE may make international transfers of Personal Data to places where SHOPLINE, its affiliates or its Sub-processors maintain data processing operations or facilities.
   Singapore
   2) Where the PDPA is applicable, SHOPLINE shall not transfer Personal Data to a place outside Singapore unless it has taken appropriate steps to ensure that the recipient is bound by legally enforceable obligations to provide the Personal Data a standard of protection that is at least comparable to the protection under the PDPA, or it is able to rely on an exception under the PDPA.

8. Deletion of Personal Data

   1) Upon termination of the Services (for any reason) (and subject to any grace period during which we may continue to Process the data to allow you to download a copy of your data), SHOPLINE will cease to Process your Personal Data and shall delete or anonymize your Personal Data, subject to and in accordance with the applicable laws and regulations (including any applicable laws and regulations which require SHOPLINE to retain a copy of your Personal Data for record-keeping, compliance and legal purposes). The Parties agree to adhere to the data deletion mechanism as set out in the Agreement.
   2) SHOPLINE shall not retain Personal Data or documents containing Personal Data for any period of time longer than is necessary to serve the purposes for which that Personal Data was collected for or for legal or business purposes. You acknowledge that SHOPLINE relies on you to provide lawful instructions on the retention of Personal Data and you acknowledge and agree that Clauses ‎2(3) and ‎2(4) of this Addendum apply equally to the retention of any Personal Data.

9. Severability

   If any provision of this Addendum is held to be prohibited by, invalid or unenforceable under any applicable law, such provision shall be ineffective only to the extent of such prohibition , invalidity, or unenforceability, without affecting the remainder of this Addendum (which shall remain in full force). The Parties shall make a good faith effort to replace the invalid or unenforceable provision with a valid one that conforms as much as possible to the original intent of the Parties.

10. General Provisions

    (1) Save as specifically modified and amended in this Addendum, all of the terms, provisions and requirements contained in the Agreement shall remain in full force and effect and govern this Addendum. In the event of any conflict or inconsistency between the provisions of the Agreement and this Addendum, the provisions of this Addendum shall prevail. For avoidance of doubt and to the extent allowed by applicable law, any and all liability under this Addendum, including limitations thereof, will be governed by the relevant provisions of the Agreement.
    2) SHOPLINE may update the terms of this Addendum from time to time, and such update shall form part of this Addendum. If you do not agree with the updated Addendum, you may stop using our Services or terminate your SHOPLINE account. However, please note that this Addendum shall still apply to you until you effectively terminate your SHOPLINE account or cease using our Services.

PCI

What is PCI-DSS Compliance?

The PCI DSS (Payment Card Industry Data Security Standard) is an information security standard for organizations or companies that accept or handle credit card payments.

This standard helps to create a secure environment and develop a robust payment card data security process, to better control cardholder data – including prevention, detection and appropriate reaction to security incidents, thus reducing credit card fraud.

Is SHOPLINE PAYMENT PCI compliant?

Yes, SHOPLINE PAYMENT is Payment Card Industry Data Security Standards (PCI DSS) compliant and is accredited as a Level 1 Service Provider.

Both SHOPLINE PAYMENT’s payment processors and SHOPLINE PAYMENT are PCI compliant.

What data is stored on SHOPLINE PAYMENT?

SHOPLINE PAYMENT stores the data entered in the merchant’s checkout fields, such as name, address, country, and so on. This data is separate from the billing field data, such as the card number, cardholder name and card expiration date.

I have other questions about PCI-DSS.

For SHOPLINE PAYMENT’s service provider PCI DSS Attestation of Compliance (AoC*), please contact your Merchant Success.

*The AOC is a form for SHOPLINE PAYMENT to attest to the results of its annual PCI DSS compliance assessment, and it is a highly confidential and privileged document.

For more information about PCI compliance, please click here.

CBPR

The Cross-Border Privacy Rules (CBPR) system, initiated by the Asia-Pacific Economic Cooperation (APEC), is designed to facilitate secure and efficient cross-border data flows among member economies while ensuring robust data protection. This system is grounded in the APEC Privacy Framework and requires participating businesses to comply with a comprehensive set of data protection standards that align with this framework.

These standards cover essential aspects of data privacy, including protection, accountability, transparency, and choice for individuals. The CBPR system not only bolsters consumer privacy but also aids in regional economic integration by enabling secure data transfers in compliance with established privacy norms. Certified companies are assessed by APEC-approved Accountability Agents, who verify adherence to CBPR's privacy practices.

As of now, several APEC member economies have joined the CBPR system, including the United States, Japan, Canada, South Korea, Singapore, Australia, Chinese Taipei, the Philippines, and Mexico. The inclusion of these members reflects the growing importance and recognition of CBPR as a standard for privacy practices in the Asia-Pacific. For businesses operating across these economies, CBPR certification represents a commitment to safeguarding personal information in the global digital economy.

To strictly comply with cross-border data regulations and better serve markets in various countries from Singapore, SHOPLINE has applied for and successfully obtained CBPR certification, adhering to the cross-border data requirements of different countries.

ISO/IEC 27001:2022

ISO/IEC 27001:2022 is a globally recognized security standard that sets out the guidelines for managing information security systems in an organization. It offers a structured approach to safeguarding company and customer data by conducting regular risk assessments. The 2022 version of the standard was released on October 24, 2022, by the International Organization of Standardization (ISO) and the International Electrotechnical Commission (IEC) through a joint subcommittee. This standard has been widely adopted and implemented worldwide to ensure the confidentiality, integrity, and availability of sensitive information.