Data Protection & Security
Data Protection & Security
Data Protection & Security
Exodus Enterprises (“Exodus”, “we”, “us”) designs, operates, and continuously improves layered security and privacy controls to protect data processed through exoclub.com (opens in a new window) and our supporting systems. This page explains—at a practical and highly detailed level—how we safeguard data: our technical and organizational measures (TOMs), governance, vendor oversight, incident response, resiliency, and secure development lifecycle.
Security Posture Snapshot
How this page relates to our GDPR Notice
Our GDPR Compliance & Data Protection page covers why we process data and your rights. This Data Protection & Security page focuses on the controls we use to keep data secure and resilient (encryption, access control, logging, vendor risk, incident response, backups, and more). Both documents work together.
1. Scope, platforms, and audience
This page covers security controls for personal data and confidential business information processed via:
- Web & Ecommerce: WordPress + WooCommerce; Vercel for hosting/CDN/edge delivery.
- CRM & Marketing: Salesforce Sales Cloud; Pardot/Account Engagement; Klaviyo.
- Payments: Authorize.net (gateway); Chargent (Salesforce) as payment orchestration; we do not store full card numbers.
- Analytics & Insight: Google Analytics (with consent), PostHog (with consent).
- Telephony & Messaging: Nextiva (phone/VoIP), optional client channels (WhatsApp, iMessage) on request.
- Electronic Signatures: DocuSign for contracts, agreements, and authorized documents.
- Infrastructure/Processing: AWS and Hetzner for analytics jobs, storage tiers, and internal operations.
- Fulfillment & Delivery: carriers, courier networks, 3PLs, label/track platforms (proof-of-delivery where lawful).
- Manufacturing/Co-Marketing: selected partners including in China (limited, purpose-bound data exchange).
This page primarily addresses users in EEA/UK and customers with heightened compliance needs. For the legal bases and international safeguards, see our GDPR page.
2. Data classification and handling standards
We classify data into handling tiers that dictate storage, access, logging, and retention:
- Tier A — Personal Data (Customer): identity/contact, orders, delivery and PoD artifacts (minimized), consent preferences, limited technical telemetry.
- Tier B — Sensitive Business Verification (B2B/Wholesale): shop information, EIN/tax IDs, reseller permits, and government IDs where required for eligibility verification (nicotine/regulated goods).
- Tier C — Payment Interaction Metadata: tokens, authorization responses, and chargeback artifacts (no full PANs).
- Tier D — Operational Logs: application, infrastructure, and security logs that may include pseudonymized identifiers.
- Tier E — Confidential Business Information: commercial and vendor contracts, product documentation, partner coordination.
Key rules apply across tiers: minimization, purpose limitation, need-to-know access, and defense-in-depth.
| Category | Examples | Storage & Access | Notes |
|---|---|---|---|
| ▸Tier A — Personal Data | Name, email, shipping address, consent flags, order metadata | Encrypted at rest; access controlled; audited | Subject to GDPR/UK GDPR rights; PoD minimized & time-limited |
| ▸Tier B — Business Verification | Shop info, EIN/tax IDs, reseller permits, government ID (when required) | Encrypted vaults with strict RBAC & dual-control access | Retained to evidence eligibility & legal compliance; see retention |
| ▸Tier C — Payment Metadata | Payment tokens, authorization results, refunds/chargebacks | Gateway/PSP tokenization; Exodus stores no full PANs | PCI alignment via PSP/gateway; incident runbooks in place |
| ▸Tier D — Operational Logs | Auth events, API traces, security alerts, infra metrics | AWS/Hetzner encrypted stores with lifecycle policies | Pseudonymized where feasible; retention bounded |
| ▸Tier E — Confidential Business | Contracts, partner files, product docs | Encrypted repositories; limited roles; immutable archiving for records | Signed NDAs & supplier due diligence required |
3. Cryptography and key management
- In transit: TLS (HTTPS) across public endpoints and secure service-to-service communications.
- At rest: AES-256 (or equivalent) at rest for databases, object stores, and backups where applicable.
- Tokenization: Payment credentials are handled by Authorize.net and Chargent; Exodus does not store full PANs.
- Key governance: Cloud-native KMS/HSM for key material, role-segregated operations, key rotation, and limited custody.
- Secrets hygiene: secrets vaulting, short-lived session tokens, automated rotation where feasible.
4. Identity, access, and authorization
- Least privilege & RBAC: role-based entitlements, regular access reviews, emergency access break-glass with approval trails.
- MFA: enforced for admins and privileged roles across cloud, CRM, and gateways.
- Network boundaries: IP allowlists for admin consoles; VPC segmentation and security groups.
- Session controls: short cookies, device posture verification where supported, mandatory logout on role changes.
- Vendor access: constrained to ticketed, time-bound windows with logging.
5. Secure development lifecycle (SSDLC)
- Design reviews & threat modeling for new features (privacy-by-design).
- Static/dynamic analysis in CI for core code bases; dependency scanning.
- Change control: peer reviews, CI checks, staged rollouts, canary deploys on Vercel/AWS.
- Secrets in CI: masked variables, OIDC-based credentials where supported.
- Post-deploy verification: health checks, error budgets, and guardrail alerts.
6. Logging, monitoring, and detection
- Centralized logging across apps, infrastructure, and security events; time-sync and tamper-evident storage where feasible.
- Use-case detections: anomalous admin activity, repeated auth failures, token abuse, suspicious payment patterns, fraud signals.
- Alerting: severity-based routing to on-call responders; clear runbooks.
- Retention: bounded by use case and law; logs in AWS/Hetzner use lifecycle policies.
7. Backup, continuity, and disaster recovery
- Backups: versioned, encrypted backups for critical data stores; periodic restore testing.
- DR strategy: region-level redundancy where applicable; documented RTO/RPO targets by system class.
- BIA alignment: business impact analysis maps systems to RTO/RPO and communication flows.
- Runbooks: failover, restore, and rollback runbooks tested during game-days.
| System | RTO Target | RPO Target | Backup Method | Notes |
|---|---|---|---|---|
| ▸WooCommerce DB | ≤ 8 hours | ≤ 1 hour | Encrypted snapshots + daily full | Order integrity validated post-restore |
| ▸Salesforce (CRM) | SaaS provider SLA | SaaS provider SLA | Provider-level; exports for critical objects | Chargent tokens validated via gateway |
| ▸Klaviyo | SaaS provider SLA | SaaS provider SLA | Provider; contact list exports | Consent logs preserved |
| ▸Analytics (AWS/Hetzner) | ≤ 24 hours | ≤ 4 hours | Object storage with lifecycle | Non-critical; privacy-filtering enforced |
8. Vendor and partner risk management
We maintain a vendor inventory with roles, DPAs, SCCs/IDTA where applicable, and risk tiers. New engagements undergo diligence; high-risk vendors receive enhanced review.
| Category | Examples | Role | Key Safeguards |
|---|---|---|---|
| ▸CMS & Ecommerce | WordPress, WooCommerce | Processor | DPA; SCCs/IDTA; Automattic privacy |
| ▸Hosting/CDN/Edge | Vercel | Processor | DPA; SCCs/IDTA; edge hardening |
| ▸Cloud IaaS / Analytics Jobs | AWS, Hetzner | Processor | DPA; SCCs/IDTA; encryption; access restriction |
| ▸CRM & Marketing | Salesforce, Pardot/AE, Klaviyo | Processor | DPA; SCCs/IDTA; role-segregated access |
| ▸Payments & Orchestration | Authorize.net, Chargent | Processor | PCI alignment via PSP; tokenization; DPA |
| ▸Analytics/Insights | Google Analytics, PostHog | Processor | Consent-gated; opt-out options; minimized events |
| ▸Telephony | Nextiva | Processor | DPA; SCCs/IDTA; see Phone Policy |
| ▸Electronic Signatures | DocuSign | Processor | DPA; SCCs/IDTA; audit trails; encryption |
| ▸Messaging (optional) | WhatsApp, iMessage | Independent Platforms | E2EE for content; platform policies; metadata may be processed |
| ▸Fulfillment & Carriers | Carriers, 3PLs, label/track | Processor | Minimized delivery data; PoD controls |
| ▸Manufacturing/Co-Marketing | Select partners incl. China | Independent/Joint Controller | SCCs/IDTA + PIPL/CAC; opt-in for independent marketing |
For international transfers and China-specific PIPL/CAC obligations, see International Data Transfers below and the GDPR page.
9. Telephony & messaging channels
Channel choice and consent
You can choose not to use WhatsApp or iMessage and may request email or phone only. Core order communications do not require these optional channels.
- Nextiva (VoIP/Contact Center): operational call data is secured per Nextiva’s platform controls; call recording, if enabled, follows our Phone Policy (purpose, access, retention).
- WhatsApp: end-to-end encryption for content; platform metadata processed by WhatsApp/Meta per their policy. Use is optional and consent-based.
- iMessage: end-to-end encryption for content; Apple service metadata may be processed per Apple’s policy. Use is optional and consent-based.
10. Business verification and regulated orders (B2B)
For wholesale/regulated purchases (e.g., nicotine), we may collect and retain shop information, EIN/tax IDs, reseller permits, and—where required—government ID for authorized buyers. This data is stored in encrypted vaults with strict RBAC, access logging, and dual-control for sensitive record exports. Retention is tied to statutory obligations and limitation periods; see Retention.
11. Analytics and privacy controls
Analytics is consent-gated:
- Google Analytics: see google.com/intl/en/policies/privacy/ (opens in a new window) and opt-out at tools.google.com/dlpage/gaoptout (opens in a new window). Configured with IP controls and limited retention where available.
- PostHog: see posthog.com/privacy (opens in a new window). We prefer masking, minimal event properties, and shorter retention.
- Preference withdrawals: your cookie banner choices prevail; you can withdraw at any time.
12. International data transfers
Where data moves outside the EEA or UK, including to the US and China:
- EU: Standard Contractual Clauses (SCCs) 2021/914.
- UK: International Data Transfer Agreement (IDTA) or UK Addendum to SCCs.
- Supplementary measures: encryption, minimization, access controls, and Transfer Impact Assessments.
- China (PIPL/CAC): partners/processors adhere to CAC standard contracts or security assessments when required; these are in addition to EU/UK safeguards for EEA/UK data.
For the detailed legal framework, see our GDPR page.
13. Retention and destruction
We retain data only for as long as necessary for the purpose collected or as required by law. We apply lifecycle policies in AWS/Hetzner and system-specific schedules for SaaS platforms. After expiry, records are securely deleted or anonymized.
| Data Type | Typical Retention | Rationale |
|---|---|---|
| ▸Customer Account | Active account + 2 years | Account servicing; post-closure support window |
| ▸Orders & Invoices | 7–10 years (jurisdiction dependent) | Tax/accounting & consumer law |
| ▸Business Verification (EIN/Permits/ID) | Statutory eligibility period + claims limitation (typically 5–10 years after last transaction) | Regulated-goods evidence; legal defense |
| ▸Payment Metadata (tokens, auth results) | Aligned to gateway/PSP needs and legal requirements | Disputes/chargebacks; fraud analysis |
| ▸PoD Artifacts | Until delivery disputes/claims windows close, then minimized | Proof of delivery; consumer protection |
| ▸Support Tickets | 3 years | Service quality & dispute context |
| ▸Security/Access Logs | 1 year | Forensics and auditability |
14. Training, awareness, and confidentiality
All personnel handling Tier A/B/C data complete onboarding and annual training on security, privacy, phishing awareness, and incident response. Personnel sign confidentiality undertakings and follow acceptable-use standards. Access is revoked on role change or exit.
15. Incident management and breach notification
We operate an end-to-end incident response program: prepare → detect → contain → eradicate → recover → learn.
| Phase | Primary Actions | Typical Timelines |
|---|---|---|
| ▸Detection | 24×7 alerting from SIEM/monitoring; suspicious activity triage | Immediate to 1h |
| ▸Containment | Isolate accounts/resources; rotate credentials; block indicators | 1–4h |
| ▸Eradication | Remove malware/backdoors; patch vulnerabilities; harden configs | Asap post-containment |
| ▸Recovery | Restore from backups; validate integrity; monitor for recurrence | Per runbook/RTO |
| ▸Notification | Assess impact; if personal data breach and risk likely, notify authorities and affected individuals under GDPR Arts. 33–34 | Supervisory authority within 72h where required |
| ▸Lessons | Root-cause analysis; control improvements; documentation updates | Post-incident window |
If a breach of personal data presents a risk to individuals, we notify the competent supervisory authority; if risk is high, we also notify affected individuals without undue delay. Notifications are fact-based and include mitigation guidance.
16. Contacting us about security or privacy
Website: exoclub.com (opens in a new window)
Email: support@exoclub.com
Phone: 1-833-271-2956
Headquarters (Mailing)
1712 Pioneer Ave, Ste 105
Cheyenne, WY 82001, USA
California Office (No in-person retail)
7535 Irvine Center Dr, Suite 200
Irvine, CA 92618, USA
For rights, legal bases, and supervisory contacts, see our GDPR Compliance & Data Protection page.
17. Changes to this page
We update this page as our controls evolve or laws change. Material changes will be reflected here with a new effective date and, where relevant, communicated through appropriate channels.
Effective date: September 30, 2025
Version: 1.0
Topics
- Security
- Data Protection
- GDPR
- UK GDPR
- International Transfers
- Incident Response
- Vendor Risk