undefined | Better HN

0 pointsthinkingkong5y ago0 comments

Again, youre assuming internal controls exist implicitly. They dont. Theyre a risk exercise not a requirement.

0 comments

They have very loose controls at shopify - no ISMS, no standard key controls - bluntly, it’s a miracle they haven’t had much worse happen yet. They’re not even ISO27001 compliant or certified.

twunde5y ago

This may have been true in the past, however per https://www.shopify.com/security they are SOC2-certified (SOC2 is significantly more common in North America), they are certainly PCI Level 1, and have GDPR/CCPA compliance requirements. You can also see their 2019 Transparency Report: https://www.shopify.com/security/transparency-report/report-.... It is still possible that their SOC2 and PCI reports could have a number of exceptions, but I would be surprised at this point in their maturity cycle.

icedchai5y ago

Most small SaaS companies, the sort I have worked for, have literally zero controls for this sort of thing. I would expect more of a 100+ billion dollar company like Shopify, but frankly I am not surprised.

j / k navigate · click thread line to collapse

0 comments

madaxe_again5y ago

They have very loose controls at shopify - no ISMS, no standard key controls - bluntly, it’s a miracle they haven’t had much worse happen yet. They’re not even ISO27001 compliant or certified.

twunde5y ago

icedchai5y ago

j / k navigate · click thread line to collapse