Purpose and Commitment
Ptech Media is committed to maintaining the highest standard of information security to protect our systems, merchants, and end-consumer data. This policy outlines our technical and organizational measures to ensure the confidentiality, integrity, and availability of all data processed through our e-commerce automation and order management tools, particularly in compliance with TikTok US Data Security (USDS) requirements.
Every feature we build is designed with security and data privacy as core requirements, not afterthoughts. Our engineering practices follow industry security frameworks including OWASP, NIST, and applicable regional data protection laws.
Data Encryption and Storage
In-Transit Encryption
All communications between our applications, third-party APIs (such as TikTok Shop), and client browsers are encrypted using modern cryptographic protocols (TLS 1.2 or higher) over HTTPS. Unencrypted HTTP connections are automatically redirected to HTTPS at the server level.
At-Rest Encryption
All sensitive information, including Personally Identifiable Information (PII), is encrypted at rest using industry-standard AES-256 encryption. Encryption keys are managed using dedicated key management services and are rotated on a regular schedule.
Data Residency
To comply with regional data governance and TikTok USDS requirements, all US order data and PII are stored and processed exclusively on secure, US-based cloud infrastructures. Data is not transferred to or processed by infrastructure outside the United States without explicit authorization and appropriate safeguards.
Our data residency and encryption practices are designed to meet TikTok's US Data Security requirements, ensuring that US merchant and consumer data remains protected and within US jurisdiction at all times.
Access Control and Authentication
Principle of Least Privilege
Access to production environments, databases, and customer data is strictly restricted. Personnel are granted only the minimum access rights necessary to perform their authorized duties. Access rights are reviewed quarterly and revoked immediately upon role change or termination.
Multi-Factor Authentication (MFA)
MFA is strictly enforced for all internal staff across all critical infrastructure, databases, and internal administrative dashboards. Hardware security keys are required for access to production systems containing PII.
Network Segregation
Our production network is completely isolated from development and testing environments. Cloud firewalls are implemented to restrict inbound traffic to essential ports only. All database servers are deployed within private subnets with no direct public internet exposure.
- Role-based access control (RBAC) enforced across all internal systems
- All privileged access sessions are logged and monitored
- SSH key-based authentication required; password authentication disabled on all servers
- VPN required for remote access to internal infrastructure
Vulnerability and Threat Management
Continuous Monitoring
We employ automated tools to continuously monitor our infrastructure for unauthorized access or suspicious activities. Alerts are configured to notify our security team immediately upon detection of anomalous behavior, failed login attempts, or unusual data access patterns.
Patch Management
Our engineering team regularly audits system dependencies and applies essential security patches to our server operating systems and software libraries to mitigate emerging threats. Critical security patches are applied within 24 hours of release; non-critical patches within 30 days.
Endpoint Security
All company-issued workstations accessing our network are required to have active, updated anti-malware and anti-virus protection. Full disk encryption is enforced on all endpoints. Mobile Device Management (MDM) software monitors all devices for compliance.
We conduct periodic security assessments and penetration tests of our platform and APIs. Critical findings are remediated within 72 hours; high-severity findings within 7 days.
Data Retention and Deletion
We only retain customer data for as long as it is necessary to provide our fulfillment and customer relationship management services. Our data retention schedule is as follows:
- Order and transaction data: Retained for the duration of the service agreement plus 90 days for dispute resolution
- Personal Identifiable Information (PII): Retained only while the merchant account is active
- Log data: Retained for 90 days for security monitoring purposes
- Backup data: Encrypted backups retained for 30 days with automated deletion
Upon the termination of a service agreement or merchant uninstallation of our application, all associated PII is securely and permanently deleted from our active databases and backups within 30 days. A deletion confirmation certificate is available upon request.
When a merchant disconnects our application (including via TikTok Shop's authorization.removed webhook), our system automatically initiates the data deletion process. No manual intervention is required — data is purged from all production systems and backups within 30 days.
Incident Response
Ptech Media has an active Incident Response Plan (IRP) designed to rapidly identify, contain, and remediate security incidents. Our incident response follows a structured 5-phase approach:
- Detection & Analysis — Automated monitoring alerts are triaged by our security team within 15 minutes of trigger
- Containment — Affected systems are isolated immediately to prevent lateral movement
- Eradication — Root cause is identified and eliminated; affected credentials are rotated
- Recovery — Systems are restored from verified clean backups; additional monitoring deployed
- Post-Incident Review — A full incident report is produced within 5 business days
In the event of a security breach or unauthorized data exposure, we are committed to notifying:
- Affected merchants and partners (e.g., TikTok Shop) within 72 hours of confirmed breach discovery
- Relevant regulatory authorities in accordance with applicable data protection laws (GDPR, CCPA, etc.)
- Affected end-consumers where their PII has been compromised
If you discover a security vulnerability in our systems, please report it responsibly to [email protected]. We commit to acknowledging all reports within 24 hours and working with researchers in good faith.
Contact Information
If you have any questions regarding this Information Security Policy or wish to report a security concern, please contact our security team:
Company
Ptech Media
This Security Policy is reviewed and updated annually, or more frequently following significant changes to our technical infrastructure or applicable regulations. The most current version is always available at ptechgo.com/security-policy.