-
Jump to
- Frequently Asked Questions
When transitioning to the new Ecommerce engine, you will not need to inform your learners of any changes with regards to their data usage or protections. However, we know questions still come up around Information Security and Data Controls when moving to a new process. We've put together this list of Frequently Asked Questions to fill in the gaps!
Frequently Asked Questions about InfoSec for the New Ecommerce Engine
What does FoxyCart do?
FoxyCart provides a shopping cart, checkout, and receipt process for Thought Industries customers.
FoxyCart does not actually perform the payment processing but instead connects to a payment processor gateway such as Stripe. The customer has a contract directly with the gateway payment processor which is outside their relationship with Thought Industries.
What type of Ti data (particularly PII) is processed or stored by or in Foxy?
Name (first, last), email, address
From Foxy.iO PCI:
In order to minimize the risk of security incidents, we fully outsource all payment processing to Foxy.io. Foxy.io is PCI DSS (Payment Card Industry Data Security Standard) Compliant as a Level 1 Service Provider, and is listed on both Visa and MasterCard's global registries.
Anytime you submit payment information via our website, you are submitting through Foxy.io's secure infrastructure. If you opt to save your payment information during checkout, that information is stored at Foxy. We don't have access to your payment details except for the last 4 digits, the card type, and the expiration date.
For any data stored in Foxy, what types of deletion routines does Thought Industries maintain?
Thought Industries does not maintain any automated deletion jobs for Foxy data. Foxy will purge PII upon request in accordance with CCPA and GDPR requirements as a data processor and Thought Industries controller of that data.
In order to update, delete, or remove learner data, customers can open a Support ticket with Thought Industries who will facilitate the process with Foxy.io.
What types of security checks or reviews did Thought Industries conduct on Foxy?
Thought Industries undertakes due diligence around the data privacy and security posture of potential Subprocessors prior to engagement. Our activities are designed to ensure that processing is only performed by entities with sufficient ability to meet data protection obligations.
Foxy maintains a robust information security posture and is a Level 1 PCI Compliant Service Provider listed on both Visa and MasterCard's registries. You can see their PCI Attestation Of Compliance (AOC) here:
What type of Data Processing Agreement is in place between Thought Industries and Foxy?
Thought Industries executes Data Security and Privacy Agreements that include Standard Contractual Clauses (SCCs) approved by the European Commission with contractual obligations to meet the GDPR requirements and further requires its Subprocessors to satisfy equivalent obligations as those required from Thought Industries (as a Data Processor).
Where (geography) does Foxy store or process data?
• us-east-1 almost exclusively
• custom shipping code is us-east-2
• gift card emails (currently) have some lambdas in eu-west-1