Overview
TotalSeller treats information security as an operational responsibility. We apply administrative and technical safeguards designed to protect the confidentiality, integrity, and availability of information handled by the TotalSeller HUB.
Security practices are reviewed as the platform, risks, and legal requirements evolve. No system can guarantee absolute security, but we work to reduce risk and respond responsibly when issues arise.
Scope
This policy applies to the TotalSeller HUB platform, its public API, the public website, supporting infrastructure, and the people and service providers authorized to manage those resources.
Data protection
We use safeguards appropriate to the nature of the information processed. These include limiting data collection to operational needs, controlling access to production data, protecting credentials, and avoiding unnecessary exposure of sensitive information in application responses and public documentation.
Access control
Access is granted according to business need and the principle of least privilege. Privileged access is restricted to authorized personnel, and permissions may be reviewed, changed, or revoked when responsibilities change.
Authentication and credentials
The API requires authorized credentials. Tokens, keys, passwords, and other secrets must be treated as confidential and must not be committed to source code, exposed in client-side applications, or shared through insecure channels. Credentials may be rotated or revoked when needed.
Infrastructure and network security
Infrastructure is configured to limit unnecessary exposure. Network access, services, and administrative interfaces are restricted according to operational need. Security updates and configuration changes are assessed and applied based on risk.
Encryption and secure transmission
Public connections to the website and API are expected to use HTTPS with TLS. Sensitive credentials must not be transmitted over unencrypted channels. Where appropriate, secrets are stored using protective techniques that reduce exposure of their original values.
Logging and monitoring
Operational and security-relevant events may be logged to support troubleshooting, traceability, abuse detection, and incident investigation. Access to logs is restricted, and logs are not intended to store credentials or other secrets in plain text.
Backup and recovery
Backup and recovery procedures are maintained according to operational requirements. Recovery measures are designed to support service restoration and data integrity after failures or disruptive events. Backup access is restricted to authorized parties.
Incident response
Suspected security events are assessed, contained, investigated, and remediated according to their severity. When appropriate and legally required, affected parties and authorities may be notified. Lessons learned may be incorporated into technical and procedural improvements.
Secure software development
Security is considered throughout design, implementation, review, testing, and deployment. Practices may include input validation, access control checks, dependency review, code review, separation of environments, and controlled release procedures.
Third-party services
We may rely on service providers required to operate the platform. Providers are selected based on business and technical needs, and access is limited to the purpose for which the provider is engaged. Third-party services remain subject to their own security practices and terms.
Privacy and compliance
Personal data is handled in accordance with applicable privacy requirements and our Privacy Policy. This policy does not claim certification under any specific security standard.
Contact
To report a vulnerability or security concern, contact security@totalseller.com.br. Please provide enough detail for us to reproduce and assess the issue, and do not access, alter, or disclose data that does not belong to you.