Security & Trust · Maintained by the Spectrum team

How we protect
your data.

This page describes the security practices in place today. It is maintained by Spectrum and is not an independent certification. Where a specific standard applies (e.g. PCI-DSS at our payment provider), we say so.

Control

Encrypted in transit

All traffic to spectrum.example is served over HTTPS with modern TLS. HTTP requests are redirected to HTTPS.

Control

PCI-DSS payments

Card payments are handled by a PCI-DSS Level 1 payment provider. We never see, transmit or store full card numbers on our systems.

Control

Least-privilege access

Only team members who need customer data to do their job have access, gated by SSO with multi-factor authentication.

Control

Vetted sub-processors

We use a short list of established providers for hosting, email, analytics and shipping. Each is bound by a data processing agreement.

Control

Backups & recovery

Order and customer data is backed up daily with point-in-time recovery. Backups are encrypted at rest.

Control

Monitoring

Application and infrastructure logs are monitored for anomalies. Suspected incidents trigger an internal response process.

Shared responsibility

You help keep your account safe by using a unique password, keeping your email account secure, and telling us quickly if you suspect unauthorised access. Spectrum staff will never ask for your password or full card number.

Responsible disclosure

Report a vulnerability

If you believe you've found a security issue, please email security@spectrum.example with steps to reproduce. We ask that you avoid accessing other people's data, give us reasonable time to fix the issue before public disclosure, and don't run automated scans that could disrupt the service. We'll acknowledge within 2 working days.