How we protect
your data.
This page describes the security practices in place today. It is maintained by Spectrum and is not an independent certification. Where a specific standard applies (e.g. PCI-DSS at our payment provider), we say so.
Encrypted in transit
All traffic to spectrum.example is served over HTTPS with modern TLS. HTTP requests are redirected to HTTPS.
PCI-DSS payments
Card payments are handled by a PCI-DSS Level 1 payment provider. We never see, transmit or store full card numbers on our systems.
Least-privilege access
Only team members who need customer data to do their job have access, gated by SSO with multi-factor authentication.
Vetted sub-processors
We use a short list of established providers for hosting, email, analytics and shipping. Each is bound by a data processing agreement.
Backups & recovery
Order and customer data is backed up daily with point-in-time recovery. Backups are encrypted at rest.
Monitoring
Application and infrastructure logs are monitored for anomalies. Suspected incidents trigger an internal response process.
Shared responsibility
You help keep your account safe by using a unique password, keeping your email account secure, and telling us quickly if you suspect unauthorised access. Spectrum staff will never ask for your password or full card number.
Report a vulnerability
If you believe you've found a security issue, please email security@spectrum.example with steps to reproduce. We ask that you avoid accessing other people's data, give us reasonable time to fix the issue before public disclosure, and don't run automated scans that could disrupt the service. We'll acknowledge within 2 working days.