Security Practices

Our Commitment to Security

At 5th Tree LLC, we understand that trust is fundamental to our relationship with you. We are committed to protecting your personal information and maintaining the highest standards of data security. Whether you shop online at 5thtree.com or interact with us in any capacity, your privacy and security are our paramount concerns.

We comply with all applicable federal and Massachusetts state laws, including 201 CMR 17.00, which requires us to maintain a comprehensive Written Information Security Program (WISP) to protect personal information of Massachusetts residents and other customers.

How We Protect Your Data

SSL/TLS Encryption (HTTPS)

Our entire website operates under secure HTTPS encryption. When you visit 5thtree.com, look for the padlock icon in your browser's address bar—this indicates that all communication between your device and our servers is encrypted and protected from interception.

Shopify's PCI-DSS Level 1 Compliance

We use Shopify to process and manage online payments. Shopify maintains PCI-DSS Level 1 certification, the highest level of payment card security. This means:

• Your payment information is processed on Shopify's secure, certified infrastructure
• All transactions meet strict Payment Card Industry Data Security Standards
• Regular security audits and penetration testing are performed by independent third parties

Secure Payment Processing

We never store full credit card numbers or sensitive cardholder data. Shopify handles all payment processing through tokenization, which means:

• Your complete card number is not stored on our servers
• Only Shopify's secure payment gateways process card data
• Your data is protected by advanced encryption algorithms
• We comply with PCI-DSS requirements for all payment information

Access Controls & Limited Employee Access

We restrict access to personal customer data on a need-to-know basis:

• Only authorized employees with legitimate business reasons can access customer information
• All administrative access is logged and monitored
• Employees receive regular security training and sign confidentiality agreements
• Access is immediately revoked when an employee leaves the company

Regular Security Reviews

We regularly assess and update our security practices to address emerging threats and maintain the highest protection standards:

• Quarterly reviews of access logs and security metrics
• Annual risk assessments of our information systems
• Ongoing monitoring of our Shopify and third-party service providers
• Prompt application of security patches and updates

Your Role in Security

While we work hard to protect your data, you also play an important role in keeping your account and information secure.

Create Strong Passwords

• Use a unique password for your 5th Tree account (don't reuse passwords from other sites)
• Make your password at least 12 characters long and include uppercase letters, numbers, and symbols
• Avoid using personal information, dictionary words, or predictable patterns
• Change your password periodically, especially if you suspect compromise

Recognize & Avoid Phishing

• Be cautious of emails asking you to verify account information or click suspicious links
• Never provide your password to anyone, even if they claim to be from 5th Tree
• Check email sender addresses carefully—scammers may use addresses that look similar to legitimate ones
• When in doubt, go directly to 5thtree.com in your browser rather than clicking email links

Practice Secure Browsing Habits

• Only access your account from secure, personal devices
• Avoid using public Wi-Fi networks when logging into your account
• Keep your browser and operating system updated with the latest security patches
• Log out of your account when you're finished, especially on shared devices

Report Suspicious Activity

If you notice anything unusual with your account, please contact us immediately:

• Unauthorized transactions or access attempts
• Unexpected password change requests
• Suspicious emails claiming to be from 5th Tree
• Account information you don't recognize

Data Breach Notification

In the unlikely event that a security breach occurs and your personal information is compromised, we are committed to notifying you promptly in accordance with Massachusetts law (201 CMR 17.00) and other applicable regulations.

Our Notification Commitment

What You'll Receive

Our notification will include:

• A description of what information was compromised
• The date the breach was discovered and notification date
• Steps you should take to protect yourself
• What 5th Tree is doing to address the breach
• Contact information for questions and further assistance

Notification Methods

We will notify you via:

• Email to the address on file with your account
• Written mail to your last known address if contact via email is unsuccessful
• Public notice if we cannot contact you through email or mail

We will also notify relevant Massachusetts authorities and credit reporting agencies as required by law.

WISP Overview & Purpose

This Written Information Security Program (WISP) is required by Massachusetts law (201 CMR 17.00) for any business that owns, licenses, or maintains personal information about Massachusetts residents. The WISP establishes the framework, policies, and procedures for protecting personal information from unauthorized access, use, disclosure, and modification.

Purpose of the WISP

The WISP serves to:

• Establish clear responsibility for data security within the organization
• Identify and assess risks to personal information
• Implement administrative, technical, and physical safeguards
• Manage third-party service providers who handle personal information
• Respond effectively to security breaches
• Regularly review and update security practices

Scope of Application

This WISP applies to all personal information handled by 5th Tree LLC, including:

• Customer names and contact information
• Payment information (as processed through Shopify)
• Order history and purchase records
• Email addresses and communication records
• Any other information that could identify a Massachusetts resident

Scope of Personal Information Covered

Personal information is any information that can be used to identify a specific individual, including but not limited to:

This WISP covers all instances where 5th Tree LLC owns, licenses, or maintains any of the above information about Massachusetts residents or any individual with whom we conduct business.

Designated Security Coordinator

5th Tree LLC has designated a Security Coordinator responsible for overseeing and implementing the WISP. This individual is responsible for:

• Development and maintenance of this WISP document
• Oversight of all information security policies and procedures
• Coordination of security assessments and risk evaluations
• Management of employee security training and awareness
• Response to security incidents and breaches
• Liaison with third-party service providers on security matters
• Regular reporting to management on security status
• Annual WISP review and updates

Risk Assessment Procedures

5th Tree LLC conducts regular risk assessments to identify potential vulnerabilities and threats to personal information. Our risk assessment process includes:

Assessment Frequency

• Annual Comprehensive Risk Assessment: Full evaluation of all systems, processes, and safeguards
• Quarterly Reviews: Evaluation of new threats, technology changes, and compliance status
• Event-Triggered Assessments: Immediate assessments following security incidents or significant system changes

Risk Assessment Components

• System Inventory: Identification of all systems that collect, store, or process personal information
• Vulnerability Identification: Assessment of technical vulnerabilities in hardware, software, and networks
• Threat Analysis: Evaluation of internal and external threats to personal information
• Impact Assessment: Analysis of the potential impact if personal information were compromised
• Mitigation Planning: Development of strategies to reduce identified risks

Documentation & Reporting

All risk assessments are documented and include:

• Identified risks and vulnerabilities
• Risk probability and potential impact ratings
• Recommended safeguards and remediation steps
• Implementation timeline and responsible parties
• Follow-up verification and testing

Administrative Safeguards

Administrative safeguards are policies and procedures that govern how personal information is managed and protected within our organization.

Employee Training & Awareness

All employees who have access to personal information receive:

• Initial Training: Comprehensive security training upon hire, covering company policies, data handling procedures, and breach response
• Annual Refresher Training: Ongoing education about current threats, new security practices, and compliance requirements
• Role-Specific Training: Additional training for employees with direct access to sensitive data (e.g., customer service, payment processing)
• Phishing Awareness: Regular education on recognizing and reporting phishing attempts

Access Management & Control

We implement strict controls on who can access personal information:

• Need-to-Know Principle: Employees only access information necessary for their job duties
• User Accounts: Each employee has unique login credentials; shared accounts are prohibited
• Authentication: Strong passwords and multi-factor authentication for administrative access
• Access Logs: All access to personal information is logged and reviewed regularly
• Access Termination: All access is immediately revoked when an employee leaves the company or changes roles

Disciplinary Measures for Policy Violations

Any employee found to be violating security policies will be subject to disciplinary action, up to and including:

• Written warnings
• Suspension of system access
• Mandatory additional training
• Demotion or reassignment
• Termination of employment

The severity of discipline will be determined based on the nature, severity, and frequency of the violation, as well as any resulting impact to personal information security.

Technical Safeguards

Technical safeguards are hardware, software, and network-based measures that protect personal information from unauthorized access and misuse.

Encryption

• In Transit: All data transmitted to or from our website uses SSL/TLS encryption (HTTPS protocol)
• At Rest: Sensitive data stored in databases is encrypted using industry-standard algorithms
• Backup Data: All backup copies of personal information are encrypted
• Key Management: Encryption keys are securely stored and accessed only by authorized systems

Firewall & Network Security

• Firewalls: Managed firewalls protect our network from unauthorized external access
• Intrusion Detection: Systems monitor for suspicious network activity and unauthorized access attempts
• Network Segmentation: Systems containing personal information are isolated on secure network segments
• Web Application Firewall: Protects our Shopify-based website from common web-based attacks
• DDoS Protection: Mitigation measures prevent Distributed Denial of Service attacks

Authentication Protocols

• Multi-Factor Authentication: Administrative accounts require multiple authentication factors
• Password Requirements: Strong password policies require complexity and regular changes
• Session Management: Automatic logout after periods of inactivity
• API Security: Secure API authentication and authorization for integrations

Monitoring & Logging

• Access Logs: All access to personal information is logged with timestamps and user identification
• Security Event Logging: Failed login attempts, access denial, and anomalous activity are recorded
• Log Review: Logs are reviewed regularly (at least quarterly) for suspicious patterns
• Log Retention: Logs are retained for at least one year in encrypted storage
• System Monitoring: Real-time monitoring of system performance and security metrics

Software Security

• Patching: Security patches and updates are applied promptly to all systems
• Version Control: Outdated software with known vulnerabilities is promptly replaced
• Testing: Changes to systems are tested in non-production environments before deployment
• Vendor Management: Third-party software providers are selected based on security track records

Physical Safeguards

Physical safeguards protect the hardware and facilities that store and process personal information from unauthorized physical access or damage.

Secure Storage of Records

• Server Location: Our servers and systems are hosted with Shopify in secure data centers with multiple layers of physical security
• Physical Access Control: Data centers employ badge access, biometric authentication, and video surveillance
• Environmental Protection: Data centers are protected against fire, flooding, and other environmental hazards through redundant systems
• Backup & Redundancy: Multiple backup locations ensure data availability even if primary systems fail

Office & Facility Security

5th Tree LLC office location: CambridgeSide Mall, Space E112, Boston, Massachusetts

• Access Control: Office access is limited to authorized employees and visitors
• Visitor Logging: All visitors are logged and required to wear visitor badges
• Security Cameras: Video surveillance monitors office areas (excluding restrooms and private areas)
• Alarm Systems: After-hours alarm systems monitor the office for unauthorized entry

Document & Record Disposal

• Paper Records: Sensitive documents containing personal information are shredded (not discarded in regular trash)
• Secure Destruction: A certified, bonded document destruction service is used for large volumes
• Digital Destruction: Digital records are securely wiped using methods that prevent recovery
• Retention Limits: Personal information is not retained longer than necessary for business purposes
• Chain of Custody: Records of document destruction are maintained for compliance verification

Third-Party Service Provider Management

5th Tree LLC uses trusted third-party service providers to deliver products and services. We carefully manage these relationships to ensure personal information remains protected.

Primary Service Providers

Vendor Assessment & Selection

Before engaging any third-party service provider that handles personal information, we:

• Conduct security assessments and reviews of their practices
• Verify compliance certifications (e.g., SOC 2, ISO 27001, PCI-DSS)
• Review their privacy policies and data handling procedures
• Confirm they maintain adequate liability insurance
• Assess their financial stability and longevity

Vendor Agreements & Contracts

All service provider agreements include:

• Data Protection Clauses: Requirements for safeguarding personal information
• Security Standards: Minimum security measures and compliance requirements
• Audit Rights: Our right to audit their security practices and controls
• Incident Notification: Obligation to report any security breaches affecting our data
• Data Return/Destruction: Requirements to return or securely destroy data upon contract termination
• Subcontractor Management: Requirement that they manage their own subcontractors with equivalent security standards

Ongoing Vendor Monitoring

• Annual security assessment and compliance verification
• Monitoring of vendor security news and breach reports
• Review of vendor incident reports and security updates
• Periodic audits and compliance reviews

Incident Response Plan

5th Tree LLC maintains a comprehensive incident response plan to detect, respond to, and remediate security breaches. Our goal is to minimize the impact on affected individuals and comply with all legal notification requirements.

Breach Detection

• System Monitoring: Automated systems continuously monitor for unauthorized access and anomalous activity
• Log Review: Security logs are reviewed at least weekly for suspicious patterns
• Employee Reporting: Employees are trained to recognize and report suspicious activity
• Third-Party Alerts: Shopify and other service providers alert us to any suspected breaches
• Customer Reports: Customers can report suspicious activity via email or phone

Incident Response Team

Upon detection of a potential breach, an Incident Response Team is activated, including:

• Security Coordinator (Lead)
• Management representative
• Technical staff responsible for affected systems
• Legal advisor (as needed)
• External security consultants (as needed)

Response Procedures

1. Containment (Immediate - 24 hours)

• Isolate affected systems to prevent further compromise
• Preserve forensic evidence and logs
• Determine the scope and nature of the breach
• Identify affected individuals and data

2. Investigation (1-7 days)

• Conduct a thorough investigation of the breach cause
• Document all findings and evidence
• Determine if personal information was actually accessed or downloaded
• Assess the risk of misuse of accessed data
• Identify remediation steps to prevent recurrence

3. Notification (Within 30 days of discovery)

• Prepare notification letters for affected individuals (if required)
• Notify Massachusetts Attorney General (if breach affects MA residents)
• Notify affected credit reporting agencies
• Notify law enforcement (if appropriate)
• Document all notification activities

4. Remediation & Recovery (Ongoing)

• Implement all corrective measures identified during investigation
• Strengthen security controls to prevent similar breaches
• Update the WISP with lessons learned
• Update employee training based on breach insights
• Consider offering credit monitoring to affected individuals (if appropriate)

Communication Plan

In the event of a breach, we will communicate with affected parties via:

• Email notifications to customer addresses on file
• Written mail notifications if email contact is unsuccessful
• Public notice on 5thtree.com if mass breach affects many customers
• Media contact if required by law or if public interest demands transparency

Policy Review & Updates

This WISP is a living document that is regularly reviewed and updated to address emerging threats, technological changes, and evolving regulatory requirements.

Annual Review Schedule

• Q1: Comprehensive WISP review and updates by Security Coordinator
• Q2: Risk assessment update and mitigation review
• Q3: Employee training effectiveness assessment
• Q4: Vendor security compliance verification

Triggers for Interim Review

The WISP will be reviewed immediately upon:

• Discovery of a security breach or incident
• Identification of significant vulnerabilities or risks
• Implementation of new systems or services handling personal information
• Changes in applicable laws or regulations
• Significant changes in business operations or organizational structure
• Changes in third-party service providers

Update Process

• Security Coordinator drafts proposed updates
• Affected departments provide feedback and input
• Updates are documented with date and change description
• All employees are notified of significant policy changes
• Updated WISP is communicated to relevant stakeholders
• This HTML page is updated to reflect current version (Last Updated date)

Document Retention

All versions of the WISP, risk assessments, and incident reports are retained for a minimum of 3 years to demonstrate compliance and ongoing commitment to data security.

Contact Information

For questions, concerns, or to report security issues related to this WISP or general data security:

Massachusetts Attorney General

For breach-related complaints or inquiries, you may contact:

Report a Security Issue

If you discover a security vulnerability or have concerns about the security of your personal information, please contact us immediately at 5thtreebazaar@gmail.com or call our office. We take all security concerns seriously and will investigate promptly.