• Free shipping on all orders over $35!

  • Hand-poured, 100% soy, cruelty-free | Follow us @CECraftCo for new drops

    Hand-poured, 100% soy, cruelty-free | Follow us @CECraftCo for new drops

Security Policy

Effective Date: January 1, 2026  |  Version 1.4

1. Purpose and Scope

This Information Security Policy establishes the framework for CE CRAFT LLC (doing business as C&E / CE CRAFT) to protect business data, customer information, and third-party data accessed through platform integrations. This policy applies to all systems, devices, and data used in connection with business operations, including e-commerce platform APIs and any other third-party seller integrations.

This policy is designed to be proportionate to the scale of our operations as a sole-proprietor business while meeting the security requirements of our platform partners and applicable laws.

2. Organizational Security

Policy Governance: This policy is reviewed and updated at least annually, or whenever there is a material change to business operations, technology infrastructure, or regulatory requirements.

3. Data Classification

All data handled by CE CRAFT LLC is classified according to sensitivity:

3.1 Confidential

  • API keys, application secrets, and OAuth access/refresh tokens
  • Customer personally identifiable information (PII): buyer names, email addresses, shipping addresses
  • Financial data: settlement amounts, transaction records, payment status

3.2 Internal

  • Order history, product catalog, and pricing data
  • Inventory levels and logistics/shipping information
  • Business analytics, dashboards, and internal reports

3.3 Public

  • Published product listings and descriptions
  • Company name, website, and publicly available contact information

4. Access Control Policy

Access to systems and data is restricted on a need-to-know basis, consistent with the principle of least privilege.

  • Only C&E Admins have access to business systems, databases, and API credentials
  • No employees, contractors, or third parties are granted access to any sensitive systems or data 
  • All devices are protected with strong passwords (minimum 8 characters, mixed complexity) and biometric authentication where supported
  • Two-factor authentication (2FA) is enabled on all accounts that support it, including seller platform accounts, email, and cloud accounts
  • A password manager is used to generate and store unique, complex passwords for each service
  • API credentials are stored in local environment variable files excluded from version control
  • OAuth tokens are stored in a secured local directory with restricted file system permissions (owner-read-only)
  • Access credentials and active API tokens are audited at least annually to verify they remain necessary and uncompromised
  • Access is immediately revoked for any credentials suspected of being compromised

5. Encryption and Data Protection

5.1 Data at Rest

  • All personal data is encrypted at rest using macOS FileVault full-disk encryption, which employs AES-256 in XTS mode
  • The local database containing customer and order data resides on the encrypted volume
  • Backup copies, if created, are also stored on encrypted local storage

5.2 Data in Transit

  • All communication with third-party platform APIs is conducted over HTTPS with TLS 1.2 or above
  • API request signatures use HMAC-SHA256 to verify request integrity and authenticity
  • No data is transmitted over unencrypted channels at any time

5.3 Credential Security

  • API secrets and tokens are never stored in source code, version control, or shared documents
  • Environment variable files containing credentials have restricted file permissions
  • Credentials are rotated immediately if a compromise is suspected

6. Data Storage and Processing

  • Marketplace platform data is stored locally on a personal computer in a local database
  • No data is transmitted to, processed by, or stored on external servers, cloud platforms, or third-party services
  • No customer data is shared with, sold to, or made accessible to any third parties
  • Data processing is limited to generating internal business analytics (sales reports, inventory tracking, revenue dashboards)
  • All data is stored and processed exclusively within the United States

7. Data Retention and Deletion

  • Personal data accessed through platform APIs is used solely for authorized seller purposes: order fulfillment, inventory management, business analytics, and customer service
  • Personal data is never used for marketing, advertising, profiling, resale, or any unauthorized purpose
  • Data is retained only as long as necessary for business operations and to comply with tax and legal record-keeping requirements
  • Upon discontinuation of any platform integration or termination of a seller partnership, all personal data obtained through that platform's API will be permanently and irreversibly deleted from all local storage, including the database and any backup copies
  • OAuth tokens are revoked and deleted immediately when no longer needed
  • Customers may request deletion of their personal data by contacting support@cecandle.com

8. Network Security

Appropriate network security controls are maintained to protect against unauthorized access:

  • Networks use WPA3/WPA2 encryption with a strong, unique password
  • Firewalls are enabled and configured to block all unauthorized incoming connections
  • Sensitive business systems, API credentials, and customer data are not accessed on public or unsecured Wi-Fi networks
  • All API traffic is internal use only over HTTPS/TLS — no inbound connections or publicly exposed ports are required
  • Router firmware is kept up to date with security patches
  • Network activity is monitored periodically for unusual behavior

9. Endpoint Protection

All devices used to access platform data are protected with:

  • XProtect real-time malware detection, Gatekeeper app verification, and Malware Removal Tool
  • System Integrity Protection (SIP) enabled to prevent unauthorized modifications to system files
  • Automatic security updates enabled to ensure timely patching of known vulnerabilities
  • Regular security scans to detect malware, adware, and other threats

10. Software and Patch Management

  • Operating system and all software are kept up to date with the latest security patches
  • Application dependencies are periodically reviewed for known vulnerabilities using dependency audit tools
  • Only trusted, verified software from known sources is installed
  • Regular backups of critical business data are maintained on encrypted storage

11. Physical and Device Security

11.1 Device Controls

  • Automatic screen lock activates after 5 minutes of inactivity
  • Password or biometric authentication is required to unlock all devices
  • Remote location and remote wipe capability on storage and access devices.
  • Physical access to business devices is restricted.

11.2 Media Disposal

  • When devices are retired or repurposed, all data is securely erased using a full disk wipe
  • External storage media containing business data is encrypted and securely destroyed when no longer needed

12. Vulnerability Management

  • System security posture is reviewed annually, including checking for outdated software dependencies
  • Application dependencies are audited for known vulnerabilities
  • Encryption and authentication mechanisms are verified to remain current and compliant with platform requirements
  • Any identified vulnerabilities are remediated promptly, with critical issues addressed within 24 hours

13. Incident Response and Breach Notification

In the event of a suspected or confirmed security incident or data breach, the following structured response plan is followed:

13.1 Detection and Containment (Within 24 Hours)

  • Immediately revoke all API access tokens and rotate all credentials
  • Isolate affected systems to prevent further unauthorized access
  • Assess the scope, severity, and root cause of the incident
  • Begin documenting the incident with timeline, affected data, and initial findings

13.2 Notification (Within 28 Hours)

  • Platform Partners: Notify affected platform partners through their partner or seller portals, providing details of the breach including what data was affected, the timeframe of exposure, and remediation steps taken
  • Affected Individuals: If customer PII was compromised, notify affected buyers with a description of what data was exposed and recommended protective steps*
  • Regulatory Authorities: Notify applicable state or federal authorities as required by law within the mandated timeframe
  • Law Enforcement: Contact law enforcement if the breach involves criminal activity


    *Attempts to inform will begin immediately, actual timeline may vary based on incident.

13.3 Remediation and Post-Incident Review

  • Implement corrective measures to address the root cause and prevent recurrence
  • Prepare a written incident report documenting the breach, response actions, notifications, and lessons learned
  • Update security policies and procedures based on findings
  • Retain all breach-related records for a minimum of three years

14. Business Continuity and Disaster Recovery

As a sole-operator business with locally stored data, the following continuity measures are in place:

Key Assets: Local database, API credentials, application source code

Recovery Time Objective (RTO): Under 24 hours

Recovery Point Objective (RPO): Minimal data loss — platform partners retain source data on their servers, allowing a full re-sync at any time

  • Regular backups of configuration files and the local database are maintained on encrypted external storage
  • Application source code is stored in version control, allowing rapid redeployment
  • Recovery procedures are tested annually

15. Personal Data Handling

A separate, published Privacy Policy (available at cecandle.com) governs the collection, use, storage, sharing, and deletion of personal data. Key principles include:

  • Only data necessary for business operations is accessed through platform APIs
  • Personal data is never sold, shared with third parties, or used for unauthorized purposes
  • Customers may exercise their data rights (access, correction, deletion) by contacting support@cecandle.com
  • Data handling practices comply with applicable US state privacy laws

16. Policy Review and Compliance

  • This policy is reviewed and updated at least annually
  • Reviews are also triggered by material changes in business operations, technology, regulatory requirements, or partner platform policies
  • Incident response and recovery procedures are tested at least once per year
  • The next scheduled review is Q4 2026


Version History

Version Date Changes
1.0 Jan 2025 Initial policy published
1.1 Apr 2025 Added third-party marketplace platform data handling provisions
1.2 Jul 2025 Added CCPA/US state privacy rights references, updated data retention
1.3 Oct 2025 Added incident response and breach notification procedures
1.4 *1 Jan 2026

Annual review; updated encryption standards, business continuity, and vulnerability management *Notification timeline improved to 24 hours or less.

Free Shipping

Free Shipping

Premium Support

24/7 Premium Support

Secure Checkout

Secure Checkout

Support

SHOP

Copyright © 2026, C & E Craft Co Website by Cronk Studios

Back to top

Menu