Extanto

con·​tent (ˈkän-ˌtent) : the topics or matter treated in a written work

You are here: Home / Information Security Policy

Information Security Policy

Effective Date: June 18, 2025 

Last Updated: June 18, 2025 

At Extanto technology, LLC, accessible from https://extanto.com, we are deeply committed to protecting the confidentiality, integrity, and availability of our website, customer data, and all information assets. This Information Security Policy outlines our comprehensive approach to maintaining a secure online environment, specifically detailing our use of WP Engine’s e-commerce startup plan, the Wordfence Community security plugin, and the SkyVerge Authorize.net plugin with Accept.js for payment processing. 

  1. Purpose
    The purpose of this policy is to: 
    • Establish clear guidelines for the secure operation of our WordPress e-commerce website. 
    • Safeguard our website and all sensitive customer data from unauthorized access, use, disclosure, disruption, modification, or destruction. 
    • Ensure our security practices align with applicable laws, regulations, and industry best practices, including requirements related to PCI DSS. 
    • Provide transparency to our users about our robust security measures. 
  2. Scope
    This policy applies to all information systems, data, and users associated with https://extanto.com, including but not limited to: 
    • Our WordPress website, its database, and all installed plugins and themes. 
    • All customer data collected, processed, and stored (e.g., customer account information, order details). 
    • Payment card data as it is handled by our payment gateway integration. 
    • All individuals who access, manage, or interact with our website, including employees, contractors, and third-party vendors. 
  3. Security Objectives
    We are dedicated to achieving the following core security objectives: 
    • Confidentiality: Ensuring that information is accessible only to those authorized to have access, preventing unauthorized disclosure. 
    • Integrity: Maintaining the accuracy, completeness, and validity of information and processing methods, preventing unauthorized modification. 
    • Availability: Ensuring that authorized users have reliable and timely access to information and associated assets when required, preventing unauthorized disruption. 
  4. Roles and Responsibilities
    • Extanto Technology, LLC Management: Responsible for approving this policy, allocating necessary resources for its implementation, and overseeing our overall security posture. 
    • Website Administrator/Owner: Responsible for the day-to-day implementation, monitoring, and enforcement of security controls, including managing WordPress, plugin/theme updates, and security configurations. This role is also responsible for incident response coordination. 
    • Third-Party Service Providers: Responsible for the security of their respective platforms and services as outlined in their agreements and PCI DSS compliance attestations. 
    • Users: All users of https://extanto.com are expected to adhere to secure practices, including using strong, unique passwords and promptly reporting any suspicious activity or security concerns to security@extanto.com. 
  5. Security Controls
    At Extanto Technology, LLC, we implement a comprehensive and multi-layered approach to security, integrating robust controls across our website’s infrastructure, application, and operational processes. Our security measures are designed to protect against unauthorized access, disclosure, alteration, and destruction of information assets.
    1. Managed Hosting and Infrastructure Security
      Our website benefits from a secure, specialized managed hosting environment that provides foundational security measures: 
      • Robust Server Infrastructure: Our hosting provider maintains a highly secure server environment, including network firewalls, sophisticated distributed denial-of-service (DDoS) protection, and a commitment to applying timely security patches and updates at the server level. 
      • Automated Data Backups: Regular, automated backups of our entire website, including its files and database, are performed. This ensures rapid data recovery capabilities in the event of an unforeseen incident or data loss. 
      • Secure Development & Deployment Practices: We utilize dedicated, isolated environments for thoroughly testing all website core updates, theme changes, and plugin installations before they are deployed to our live production site. This systematic approach minimizes the risk of introducing vulnerabilities or disruptions. 
      • Encrypted Communications (SSL/TLS): All data transmitted between our website and users’ browsers is protected with industry-standard SSL/TLS encryption. This ensures that sensitive information, such as login credentials and payment details, remains confidential and protected from1 interception during transit. 
      • Proactive System Monitoring: Our infrastructure incorporates continuous monitoring systems designed to proactively identify and mitigate potential security threats at the network and server levels. 
    2. Website Software Security
      • We maintain the security and integrity of our website’s application layer through diligent software management and user access controls: 
      • Consistent Software Patching and Updates: We commit to regularly updating our website’s core software platform, themes, and all installed extensions to their latest stable versions. This ensures that we benefit from the most recent security patches and vulnerability fixes. 
      • Vetted Software Sources: We exclusively integrate website components (themes and plugins/extensions) from reputable developers and validated sources to minimize the risk of malicious code or known vulnerabilities. 
      • Minimalist Software Footprint: We adhere to a principle of installing only essential software components, thereby reducing the potential attack surface and improving overall security posture. 
      • Strong Access Controls and Authentication: All administrative and privileged user accounts for our website are secured with strong, unique passwords. Multi-factor authentication (MFA) is enforced for all such accounts to provide an additional layer of security against unauthorized access. 
      • Principle of Least Privilege: User access to website functionalities and sensitive data is strictly managed based on the principle of least privilege. This ensures that individuals are granted only the minimum necessary permissions required for their specific roles and responsibilities. 
    3. Application-Level Threat Protection
      We employ dedicated security measures directly at the website application level to defend against common online threats: 
      • Web Application Firewall (WAF): We utilize a web application firewall (WAF) that actively monitors, filters, and blocks malicious traffic. This provides protection against common web attacks, including brute force login attempts, SQL injection, and cross-site scripting (XSS) vulnerabilities. 
      • Regular Malware and Vulnerability Scanning: Our systems regularly scan our website’s files, database, and installed components for the presence of malware, malicious code injections, backdoors, and known security vulnerabilities. 
      • Enhanced Login Security Features: Beyond standard access controls, we implement additional features such as automatic lockout mechanisms for excessive failed login attempts and further strong password enforcement rules to deter automated attacks. 
      • Dynamic Threat Intelligence: Our security tools benefit from regularly updated threat intelligence to help protect our site against emerging and evolving online threats in real-time. 
    4. Secure Payment Processing and PCI DSS Compliance
      We uphold the highest standards for the security of all financial transactions, particularly concerning payment card data: 
      • Secure Payment Gateway Integration: We utilize a PCI DSS compliant third-party payment gateway for all payment card transactions. Sensitive payment card data is captured directly by the payment gateway using secure client-side technologies (e.g., client-side encryption and tokenization). This means that raw credit card numbers and sensitive authentication data are never touched, processed by, or reside on our servers. 
      • Reduced PCI DSS Scope: This advanced integration method significantly reduces our Payment Card Industry Data Security Standard (PCI DSS) compliance obligations. It aligns our practices with the requirements for the Self-Assessment Questionnaire (SAQ) A-EP, reflecting a minimized risk profile for cardholder data handling. 
      • Data Minimization for Cardholder Data: Our systems are designed to minimize the storage of sensitive cardholder data on our environment, as this critical information is handled off-site by our payment processor. We only retain transaction tokens or non-sensitive payment confirmations necessary for order management. 
      • Trusted Processor Compliance: Our chosen payment gateway is a PCI DSS Level 1 Service Provider. This signifies that they undergo rigorous annual audits and maintain the highest level of security and compliance for handling payment card data on their systems. 
      • Encrypted Checkout Process: All payment forms and checkout pages are served securely over HTTPS, ensuring that all data exchanged between the user’s browser and the payment gateway is encrypted using robust SSL/TLS protocols. 
      • Annual PCI DSS Validation: We complete the required PCI DSS Self-Assessment Questionnaire (SAQ A-EP) annually through our chosen Qualified Security Assessor (QSA) or compliance partner to formally validate our adherence to applicable PCI DSS requirements. 
    5. Data Security and Privacy
      • Data Minimization: We only collect and retain customer data that is strictly necessary for fulfilling orders, providing customer service, and operating our e-commerce business. 
      • Privacy Policy: A comprehensive Privacy Policy is maintained and publicly available on our website, detailing our data collection, use, storage, and sharing practices in compliance with relevant data protection regulations (e.g., GDPR, CCPA, etc., as applicable). 
      • Access Control: Access to customer data and administrative areas of the website is restricted to authorized personnel based on the principle of least privilege. 
  6. Employee and Contractor Awareness
    All personnel with access to our website’s back end, customer data, or payment processing systems are trained on this Information Security Policy and are required to adhere to secure practices, including: 
    • Using strong, unique passwords and 2FA for all accounts. 
    • Exercising caution with suspicious emails and avoiding phishing attempts. 
    • Understanding and following secure remote access protocols. 
    • Reporting any observed or suspected security vulnerabilities or incidents immediately. 
  7. Compliance
    • PCI DSS (SAQ A-EP): By leveraging Accept.js, we adhere to the requirements of the PCI Data Security Standard for merchants whose e-commerce website does not directly receive or store cardholder data but facilitates the redirect or iframe for data entry.
    • General Data Protection Regulation (GDPR): As applicable to our business, we are committed to complying with the GDPR (Regulation (EU) 2016/679) regarding the processing of personal data from individuals within the European Economic Area (EEA) and the UK. Our GDPR compliance efforts include:
      1. Lawful Basis: Processing personal data based on a defined lawful basis (e.g., consent, contractual necessity, legitimate interests). 
      2. Data Subject Rights: Facilitating the exercise of data subject rights, including the right to access, rectification, erasure, restriction of processing, data portability, and objection. 
      3. Data Processing Agreements (DPAs): Entering into appropriate Data Processing Agreements with our third-party service providers (e.g., WP Engine, Authorize.net) to ensure their compliance with data protection laws. 
      4. Privacy by Design and Default: Implementing data protection principles into the design and operation of our website and services. 
      5. Data Breach Notification: Maintaining procedures for promptly detecting, reporting, and investigating personal data breaches to supervisory authorities and affected data subjects as required. 
      6. Consent Management: Where consent is the lawful basis, implementing mechanisms for obtaining, managing, and withdrawing user consent for data processing (e.g., for cookies, marketing communications). 
  8. Policy Review and Updates
    This Information Security Policy is a living document and will be reviewed at least annually, or more frequently as necessitated by changes in our business operations, technology, security threats, or regulatory requirements. Any significant updates will be communicated. 
  9. Contact Information
    If you have any questions or concerns regarding this Information Security Policy, please contact us at: 
    security@extanto.com 
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.