GSA Commercial Platforms - Learn more

Data Protection & Security

Data Protection

G-Commerce by Social Glass, Inc. is committed to providing a secure marketplace experience for all users, including government entities. We adhere to Federal data and information privacy laws and regulations, ensuring compliance through robust data encryption mechanisms integrated into our platform and outlined in our Terms of Service.

Security Measures

Our platform incorporates multiple layers of protection against common threats such as SQL injections (SQLi), cross-site scripting (XSS), and cross-site request forgery (CSRF). We employ DNS and DDoS Protection, Artificial Intelligence Firewall, daily automated backup, secure account isolation, and leverage our defense network to counteract various forms of malicious activity. Data encryption and single sign-in functionality further safeguard user information. Payment processing is handled by PCI-compliant provider Stripe, with payment information fully encrypted.

Access Controls

Access to our systems is strictly regulated through single sign-in accounts with granular permissions. Two-factor authentication is mandatory for users, including our staff. Personnel controls include pre-employment criminal background checks, security training post-employment, and Role Based Access Control (RBAC) management during employment. Upon termination, all accounts and company information are promptly transferred to Social Glass, Inc., with confidentiality maintained through employment agreements and post-employment confidentiality parameters.

Insurance Coverage

G-Commerce is covered by our Cybersecurity Insurance Policy, offering protection against security incidents such as hacking, viruses, data theft, and inadvertent loss of personal information.

Government Contract Compliance

In terms of our work with the General Services Administration (GSA) Commercial Platforms Program and other government agencies, G-Commerce only discloses data to authorized government personnel or with written approval from the Contracting Officer. Proprietary data obtained under contract will not be used, disclosed, or reproduced except as necessary for contract performance. Additionally, government spending data will not be utilized for pricing, marketing, or other purposes beyond contract requirements.

Protection of Government Order Information

G-Commerce is committed to maintaining the confidentiality of product order information that identifies the government as the purchaser. Such information will not be sold or disclosed to third parties except as required for order processing purposes.

Protecting financial data from theft/fraud

All credit card payment information is managed by our payment processor, Stripe, which is PCI compliant and is certified as PCI Level 1 Service Provider, enabling fully encrypted payment information transmission for all transactions. All credit card transactions are conducted within our platform without redirection to another website. We maintain organizational, technical, and administrative measures designed to protect financial information against unauthorized access, destruction, loss, alteration, or misuse. In particular, all data associated with financial accounts is encrypted in transit and at rest. Because of the sensitive nature of this information, it is also protected by additional access controls, along with ongoing monitoring to prevent data misuse. 

Defense against cyber attacks

G-Commerce is protected against cyber-attacks through our comprehensive cybersecurity strategy involving a combination of preventive measures, monitoring, and response mechanisms, including: 

1) Secure Software Development: We use secure coding practices and conduct regular code reviews to identify and fix vulnerabilities early in the development process; 

2) User Authentication and Authorization: We have authentication mechanisms implemented, including multi-factor authentication (MFA), to ensure that only authorized users can access sensitive areas of our platform; 

3) Encryption: We encrypt sensitive data, both in transit and at rest. We use HTTPS protocols for data transmission and industry-standard encryption algorithms for storing sensitive information; 

4) Regular Software Updates and Patch Management: We keep our software, operating systems, and third-party libraries up-to-date, and regularly apply security patches and updates to protect against known vulnerabilities; 

5) Firewalls and Intrusion Detection/Prevention Systems: We have firewalls set up to monitor and control incoming and outgoing network traffic, and employ intrusion detection and prevention systems to detect and stop suspicious activities in real-time. We also have comprehensive logging and monitoring systems to track user activities, detect anomalies, and respond to potential security breaches promptly; 

6) Regular Security Audits and Vulnerability Assessments: We conduct regular security audits and vulnerability assessments to identify weaknesses in our system, and 

7) Employee Training and Awareness: We educate our employees about cybersecurity best practices and potential threats, such as phishing and social engineering attacks. We limit access to sensitive data and critical systems by assigning user roles and privileges based on the principle of least privilege.

Compliance with information security standards

G-Commerce complies with the industry's most rigorous information security standards, ensuring the security and privacy of our platform and user data. Very specifically, G-Commerce adheres to the PCI DSS requirements through our integration with Stripe, and aligns with the NIST (National Institute of Standards and Technology) Cybersecurity Framework through our integrations with Google Cloud, which is FedRAMP certified. Following best practices in the implementation of Google’s public sector products and solutions.

Data storage

G-Commerce manages data storage using various approaches and technologies. As a cloud-based platform, data is stored in our cloud service providers, offering a secure, scalable and reliable infrastructure for object storage, file storage and database storage. We use relational database management systems (RDBMS) to store structured and unstructured data, including MySQL and PostgreSQL. This is complemented by the CDNs we use to efficiently distribute and cache static content, such as images, videos, and other media files, to reduce latency and improve user experience. G-Commerce also uses Hadoop Distributed File System (HDFS) to provide scalable and fault-tolerant storage. Regular data backups are performed to prevent data loss due to accidental deletion or system failures. We implement access controls, data retention policies, and audit trails to meet compliance requirements, and use monitoring and analytics tools to track data usage, performance metrics, and system health. These insights help optimize our storage resources and identify potential issues proactively.

Vulnerability assessments/monitoring

We manage vulnerability assessments/monitoring through a combination of automated tools, manual processes, and a dedicated security team. We work to proactively identify and address potential security weaknesses, protect user data, and prevent cyber threats. For this we employ automated vulnerability scanning tools that regularly scan our infrastructure, applications and systems for known security vulnerabilities. These tools check for weaknesses in new software versions, configuration settings, and potential misconfigurations. We also conduct periodic penetration testing to simulate real-world attacks and identify potential security weaknesses that automated tools might miss and provide detailed reports to help address any identified issues. We also deploy Intrusion Detection/Prevention Systems (IDS/IPS) solutions to detect and prevent potential intrusions or suspicious activities in real-time. These systems automatically alert our administrators about potential threats. G-Commerce uses File Integrity Monitoring (FIM) tools to monitor critical files and directories for unauthorized changes, helping identify potential security breaches or unauthorized access.

Encryption

G-Commerce encodes sensitive information in a way that can only be decoded and understood by authorized parties. Our platform uses secure communication protocols such as HTTPS (Hypertext Transfer Protocol Secure) for data transmission. HTTPS encrypts data during transit using Transport Layer Security (TLS). This ensures that sensitive information, such as login credentials, is protected while being exchanged between our users and servers. We implement end-to-end encryption, ensuring that only the authorized user can access their login credentials, even our platform administrators cannot decrypt the content. To handle financial transactions securely, we rely on our payment processors’ encryption to protect payment information. Payment card data, bank details, and other sensitive financial information are encrypted to prevent unauthorized access or data theft. Secure hashing algorithms are employed to safeguard passwords stored in our databases. Lastly, we use secure key management systems to generate, store, and rotate encryption keys regularly.

Disaster recovery

We utilize cloud-based disaster recovery services by Google Cloud. We handle disaster recovery through a comprehensive disaster recovery plan, ensuring business continuity and data resilience in the face of catastrophic events or disruptions. Our plan focuses on minimizing downtime, data loss, and the impact on users. We have a dedicated incident response team ready to respond quickly and effectively to platform incidents. In the event of a disaster, we conduct a business impact analysis to identify critical systems and data. This analysis helps prioritize our recovery efforts. G-Commerce has a Recovery Time Objective (RTO) of less than 24 hours, which represents the maximum acceptable downtime. Our platform uses load balancing, failover mechanisms, and distributed architectures to ensure continuous service availability. Regular and automated data backups are performed to ensure that critical data is protected and can be restored in case of data loss. We also maintain a separate and geographically distant Disaster Recovery Site (DR Site) which serves as a backup location where services can be quickly restored in the event of a disaster affecting our primary site. We continuously monitor our infrastructure and systems for signs of potential disasters or failures, and automated alerts are triggered when unusual activities are detected.

Network Monitoring

We conduct continuous monitoring of our networks to detect unusual activities or potential security breaches. We use Security Information and Event Management (SIEM) tools to centralize and analyze our network logs from various sources, providing real-time visibility into network traffic, devices, and performance metrics. These tools can track various network parameters, such as bandwidth utilization, latency, packet loss, and response times. We also analyze network traffic to identify patterns, anomalies, and potential bottlenecks. This helps detect unusual or suspicious activities that may indicate security incidents or network performance issues. We have automated alerting mechanisms set up to notify our network administrators about critical network events, such as device failures, high traffic volume, or security breaches. We monitor network devices, such as routers, switches, firewalls, and load balancers, to ensure they are functioning correctly and within acceptable performance thresholds, and analyze network metrics and traffic patterns. We also monitor user experience and performance from different locations to ensure a consistent and satisfactory user experience across various regions, and generate detailed logs and audit trails for troubleshooting and compliance analysis. Lastly, G-Commerce has DDoS protection features to detect and mitigate DDoS attacks in real-time, safeguarding our platform’s network from disruption.

Section 889 of the National Defense Authorization Act (Section 889)

Section 889 of the National Defense Authorization Act (NDAA) is intended to combat national security threats that face the United States and contains two key restrictions, "Part A" and "Part B". Part A prohibits federal government agencies from obtaining (through a contract or other instrument) certain telecommunications and video surveillance equipment or services produced by the following companies:

  1. Dahua Technology Company
  2. Hangzhou Hikvision Digital Technology Company
  3. Huawei Technologies Company
  4. Hytera Communications Corporation
  5. ZTE Corporation

and their subsidiaries and affiliates. Part B prohibits federal government agencies from contracting with any entity that uses certain telecommunications equipment or services produced by these companies as a substantial or essential component of any system.

G-Commerce 889 Compliance

Social Glass Inc. (the legal entity that owns and operates G-Commerce) is a registered company in the federal government's System for Award Management (SAM). As part of our SAM registration, we certified that we will not provide any covered telecommunication and video surveillance equipment in the performance of our contracts. Also, we do not use any covered telecommunication equipment as a substantial or essential component of any system.

Our SAM representations and certifications are limited to our capacity as the operator of G-Commerce. These representations and certifications do not apply to the offer and sale of those third-party goods, software, and services.

You can access our SAM certifications relating to Section 889 on www.sam.gov and here.

Third-party Section 889 compliance

There are third-party vendors on G-Commerce who are compliant with Section 889 using our Vendor Certification Program. You can look in our Vendor Verification to identify the vendor's certifications. If the vendor has certified compliance with Section 889, the vendor's 889 Certification will appear under the vendor's profile, under the documentation tab. You can preview and download the vendor's 889 certification form (or the vendor's SAM registration if the vendor is registered in SAM).

Other Sourcing Requirements

In addition to Section 889, government agencies are prohibited from using hardware, software, or services developed or produced by Kaspersky Lab under Section 1643 of the NDAA or from contracting for any covered article or any products or services produced or provided by a source set out in an applicable Federal Acquisition Supply Chain Security Act (FASCSA) order. Third party vendors on G-Commerce do not provide certifications for these restrictions since they are not required by government contractors in SAM, so we use technical solutions to assist government agencies with not purchasing Kaspersky Lab products or covered articles or products or services produced by a named source under FASCSA orders.

As with Section 889, our representations and certifications are limited to our capacity as the operator of G-Commerce. G-Commerce provides access to purchase goods, software, and services from a variety of parties, including G-Commerce and third parties. These representations and certifications do not apply to the offer and sale of those third-party goods, software, and services.

Certification process

Obtaining the 889 certification is a simple and straightforward process. Here's a quick breakdown of the steps:

  • Step 1: Complete the 889 Self-Certification Form found here.
  • Step 2: Upload the 889 Self-Certification Form to your Vendor Dashboard (you must have an active account to access).

Prohibited Items List

To ensure the safety and integrity of our marketplace, products and services from the following companies are strictly prohibited:

  • Kaspersky Labs
  • Dahua Technology Company
  • Hangzhou Hikvision Digital Technology Company
  • Huawei Technologies Company
  • Hytera Communications Corporation
  • ZTE Corporation

Additionally, the sale or promotion of items containing any of the following keywords is also banned due to their sensitive nature:

  • Narcotics: Marijuana, Cocaine, Heroin, LSD, Methamphetamine, Ecstasy
  • Counterfeit and Stolen Items: Fake currency, Stolen goods
  • Illegal Wildlife Products: Ivory, Endangered species, Animal parts
  • Explosives and Hazardous Materials: Explosives, Fireworks, Toxic, Hazardous, Radioactive, Asbestos
  • Weapons and Self-defense Items: Firearm, Ammunition, Bullet, Knife, Switchblade, Taser, Stun gun, Pepper spray
  • Adult Content and Services: Porn, XXX, Adult, Sex, Escort, Nude, Erotic
  • Controlled Substances: Alcohol, Liquor, Wine, Tobacco, Cigarettes, Cigar, Vape, Prescription, Steroids
  • Imitation and Fraudulent Goods: Fake, Replica, Counterfeit, Knockoff, Bootleg
  • Human and Biological Products: Human organs, Body parts, Blood, Sperm, Egg donation
  • Hate Speech and Extremism: Hate, Racist, Nazi, Swastika, Ku Klux Klan, Terrorist, ISIS, Extremist
  • Illegal Services: Escort, Prostitution
  • Gambling and Betting: Gambling, Betting, Lottery
  • Banned and Restricted Items: Recalled, Banned, Restricted
  • Privacy and Security Breaches: Privacy breach, Data leak

Any listing or keyword search associated with these categories will be promptly removed, and necessary actions will be taken to ensure compliance with our marketplace policies. Thank you for helping us maintain a safe and trustworthy environment for all users.

Contact Information

If you have any questions about G-Commerce's Data Protection & Security details, you may contact us at [email protected].

Last update: June 4th, 2024.